Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.sabreairlinesolutions.com/home/about [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %008d9e6<a>33ec97544e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d9e6<a>33ec97544e9 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about?%008d9e6<a>33ec97544e9=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>33ec97544e9=1">about?%008d9e6<a>33ec97544e9=1</a> ...[SNIP]...
1.2. http://www.sabreairlinesolutions.com/home/about [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00aabbe"><a>a58115eef59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aabbe"><a>a58115eef59 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about?%00aabbe"><a>a58115eef59=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/about?%00aabbe"><a>a58115eef59=1"> ...[SNIP]...
1.3. http://www.sabreairlinesolutions.com/home/about/complete_the_picture/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/complete_the_picture/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e3fbe"><a>dc36cf7621c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3fbe"><a>dc36cf7621c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/complete_the_picture/?%00e3fbe"><a>dc36cf7621c=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/about/complete_the_picture/?%00e3fbe"><a>dc36cf7621c=1"> ...[SNIP]...
1.4. http://www.sabreairlinesolutions.com/home/about/complete_the_picture/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/complete_the_picture/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %005a124<a>7c7621995ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5a124<a>7c7621995ce in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/complete_the_picture/?%005a124<a>7c7621995ce=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>7c7621995ce=1">?%005a124<a>7c7621995ce=1</a> ...[SNIP]...
1.5. http://www.sabreairlinesolutions.com/home/about/copyright_and_trademark/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/copyright_and_trademark/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007b237"><a>8a1a1739deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7b237"><a>8a1a1739deb in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/copyright_and_trademark/?%007b237"><a>8a1a1739deb=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/about/copyright_and_trademark/?%007b237"><a>8a1a1739deb=1"> ...[SNIP]...
1.6. http://www.sabreairlinesolutions.com/home/about/copyright_and_trademark/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/copyright_and_trademark/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00d173d<a>be434099c51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d173d<a>be434099c51 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/copyright_and_trademark/?%00d173d<a>be434099c51=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>be434099c51=1">?%00d173d<a>be434099c51=1</a> ...[SNIP]...
1.7. http://www.sabreairlinesolutions.com/home/about/executive_team/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/executive_team/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00aeed6<a>fb035baa803 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aeed6<a>fb035baa803 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/executive_team/?%00aeed6<a>fb035baa803=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content ...[SNIP]... <a>fb035baa803=1">?%00aeed6<a>fb035baa803=1</a> ...[SNIP]...
1.8. http://www.sabreairlinesolutions.com/home/about/executive_team/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/executive_team/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d1445"><a>c4609654fa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1445"><a>c4609654fa0 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/executive_team/?%00d1445"><a>c4609654fa0=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content ...[SNIP]... <a href="/home/about/executive_team/?%00d1445"><a>c4609654fa0=1"> ...[SNIP]...
1.9. http://www.sabreairlinesolutions.com/home/about/media_press/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/media_press/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00db3c3<a>7a618a34698 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db3c3<a>7a618a34698 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/media_press/?%00db3c3<a>7a618a34698=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>7a618a34698=1">?%00db3c3<a>7a618a34698=1</a> ...[SNIP]...
1.10. http://www.sabreairlinesolutions.com/home/about/media_press/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/media_press/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0049524"><a>16b0673047b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 49524"><a>16b0673047b in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/media_press/?%0049524"><a>16b0673047b=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/about/media_press/?%0049524"><a>16b0673047b=1"> ...[SNIP]...
1.11. http://www.sabreairlinesolutions.com/home/about/privacy_policy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/privacy_policy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00a8a68<a>7124b9a8c58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8a68<a>7124b9a8c58 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/privacy_policy/?%00a8a68<a>7124b9a8c58=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>7124b9a8c58=1">?%00a8a68<a>7124b9a8c58=1</a> ...[SNIP]...
1.12. http://www.sabreairlinesolutions.com/home/about/privacy_policy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/privacy_policy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00eb01d"><a>04cb2f1cd5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb01d"><a>04cb2f1cd5a in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/privacy_policy/?%00eb01d"><a>04cb2f1cd5a=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/about/privacy_policy/?%00eb01d"><a>04cb2f1cd5a=1"> ...[SNIP]...
1.13. http://www.sabreairlinesolutions.com/home/about/sitemap/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/sitemap/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0083dbb<a>81f2d4d8262 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 83dbb<a>81f2d4d8262 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/sitemap/?%0083dbb<a>81f2d4d8262=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a>81f2d4d8262=1">?%0083dbb<a>81f2d4d8262=1</a> ...[SNIP]...
1.14. http://www.sabreairlinesolutions.com/home/about/sitemap/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/sitemap/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0080478"><a>1c4558ae88c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80478"><a>1c4558ae88c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/sitemap/?%0080478"><a>1c4558ae88c=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a href="/home/about/sitemap/?%0080478"><a>1c4558ae88c=1"> ...[SNIP]...
1.15. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/the_as_advantage/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b4ab8"><a>1b259e8819c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4ab8"><a>1b259e8819c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/the_as_advantage/?%00b4ab8"><a>1b259e8819c=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/about/the_as_advantage/?%00b4ab8"><a>1b259e8819c=1"> ...[SNIP]...
1.16. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/about/the_as_advantage/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0067889<a>5795562558c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67889<a>5795562558c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/about/the_as_advantage/?%0067889<a>5795562558c=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>5795562558c=1">?%0067889<a>5795562558c=1</a> ...[SNIP]...
1.17. http://www.sabreairlinesolutions.com/home/ascend [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/ascend
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c967d"><a>94f7e2076ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c967d"><a>94f7e2076ed in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/ascend?%00c967d"><a>94f7e2076ed=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/ascend?%00c967d"><a>94f7e2076ed=1"> ...[SNIP]...
1.18. http://www.sabreairlinesolutions.com/home/ascend [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/ascend
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %006715a<a>ea87d7ca60d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6715a<a>ea87d7ca60d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/ascend?%006715a<a>ea87d7ca60d=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>ea87d7ca60d=1">ascend?%006715a<a>ea87d7ca60d=1</a> ...[SNIP]...
1.19. http://www.sabreairlinesolutions.com/home/business_issues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/business_issues
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00ac59a<a>fa88b4375a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ac59a<a>fa88b4375a1 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/business_issues?%00ac59a<a>fa88b4375a1=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <a>fa88b4375a1=1">business issues?%00ac59a<a>fa88b4375a1=1</a> ...[SNIP]...
1.20. http://www.sabreairlinesolutions.com/home/business_issues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/business_issues
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d1fb2"><a>4652b7d32bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1fb2"><a>4652b7d32bc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/business_issues?%00d1fb2"><a>4652b7d32bc=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <a href="/home/business_issues?%00d1fb2"><a>4652b7d32bc=1"> ...[SNIP]...
1.21. http://www.sabreairlinesolutions.com/home/contact [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/contact
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002e1da"><a>9ac32faf577 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e1da"><a>9ac32faf577 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/contact?%002e1da"><a>9ac32faf577=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/contact?%002e1da"><a>9ac32faf577=1"> ...[SNIP]...
1.22. http://www.sabreairlinesolutions.com/home/contact [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/contact
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %009b671<a>9f2cd3ee1c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9b671<a>9f2cd3ee1c2 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/contact?%009b671<a>9f2cd3ee1c2=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the %0048092<a>12e2bef5c79 request parameter is copied into the HTML document as plain text between tags. The payload aaf9b<a>7ed837c277b was submitted in the %0048092<a>12e2bef5c79 parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the %0048092<a>12e2bef5c79 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 633a2"><a>735ea7d59b4 was submitted in the %0048092<a>12e2bef5c79 parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>12e2bef5c79=1633a2"><a>735ea7d59b4"> ...[SNIP]...
1.25. http://www.sabreairlinesolutions.com/home/news_events [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/news_events
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0048092<a>12e2bef5c79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48092<a>12e2bef5c79 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/news_events?%0048092<a>12e2bef5c79=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>12e2bef5c79=1">news events?%0048092<a>12e2bef5c79=1</a> ...[SNIP]...
1.26. http://www.sabreairlinesolutions.com/home/news_events [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/news_events
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0016d00"><a>26e1511d709 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16d00"><a>26e1511d709 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/news_events?%0016d00"><a>26e1511d709=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/news_events?%0016d00"><a>26e1511d709=1"> ...[SNIP]...
1.27. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference2 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %003f5dc<a>9dfb4e57842 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3f5dc<a>9dfb4e57842 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/news_events/event/operations_user_conference2?%003f5dc<a>9dfb4e57842=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a>9dfb4e57842=1">operations user conference2?%003f5dc<a>9dfb4e57842=1</a> ...[SNIP]...
1.28. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference2 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0053da6"><a>69ed5e196d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 53da6"><a>69ed5e196d9 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/news_events/event/operations_user_conference2?%0053da6"><a>69ed5e196d9=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a href="/home/news_events/event/operations_user_conference2?%0053da6"><a>69ed5e196d9=1"> ...[SNIP]...
1.29. http://www.sabreairlinesolutions.com/home/products_services [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/products_services
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d6be4"><a>c4f7a80bf90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d6be4"><a>c4f7a80bf90 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services?%00d6be4"><a>c4f7a80bf90=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/products_services?%00d6be4"><a>c4f7a80bf90=1"> ...[SNIP]...
1.30. http://www.sabreairlinesolutions.com/home/products_services [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/products_services
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00f168a<a>a4b9edf696c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f168a<a>a4b9edf696c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services?%00f168a<a>a4b9edf696c=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>a4b9edf696c=1">products services?%00f168a<a>a4b9edf696c=1</a> ...[SNIP]...
1.31. http://www.sabreairlinesolutions.com/home/products_services/customer_sales_service [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/products_services/customer_sales_service
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00adecf"><a>1bef3683590 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as adecf"><a>1bef3683590 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services/customer_sales_service?%00adecf"><a>1bef3683590=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content ...[SNIP]... <a href="/home/products_services/airline_reservations?%00adecf"><a>1bef3683590=1"> ...[SNIP]...
1.32. http://www.sabreairlinesolutions.com/home/products_services/customer_sales_service [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/products_services/customer_sales_service
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00aeb35<a>369136b3e40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aeb35<a>369136b3e40 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services/customer_sales_service?%00aeb35<a>369136b3e40=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content ...[SNIP]... <a>369136b3e40=1">airline reservations?%00aeb35<a>369136b3e40=1</a> ...[SNIP]...
1.33. http://www.sabreairlinesolutions.com/home/products_services/marketing_planning [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/products_services/marketing_planning
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fb6b0"><a>8510af1fb38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb6b0"><a>8510af1fb38 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services/marketing_planning?%00fb6b0"><a>8510af1fb38=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content ...[SNIP]... <a href="/home/products_services/commercial_planning?%00fb6b0"><a>8510af1fb38=1"> ...[SNIP]...
1.34. http://www.sabreairlinesolutions.com/home/products_services/marketing_planning [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sabreairlinesolutions.com
Path:
/home/products_services/marketing_planning
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %007ccb0<a>5cde0e806bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7ccb0<a>5cde0e806bb in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services/marketing_planning?%007ccb0<a>5cde0e806bb=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content ...[SNIP]... <a>5cde0e806bb=1">commercial planning?%007ccb0<a>5cde0e806bb=1</a> ...[SNIP]...
1.35. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_community_portal [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00422ae"><a>63ba76bb82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 422ae"><a>63ba76bb82 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services/product/sabre_community_portal?%00422ae"><a>63ba76bb82=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/home/products_services/sabre_community_portal?%00422ae"><a>63ba76bb82=1"> ...[SNIP]...
1.36. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_community_portal [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0012e88<a>8d24e449678 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12e88<a>8d24e449678 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services/product/sabre_community_portal?%0012e88<a>8d24e449678=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>8d24e449678=1">sabre community portal?%0012e88<a>8d24e449678=1</a> ...[SNIP]...
1.37. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00e0d54<a>72ad5be874f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e0d54<a>72ad5be874f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services/product/sabre_reaccommodation_manager/?%00e0d54<a>72ad5be874f=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a>72ad5be874f=1">?%00e0d54<a>72ad5be874f=1</a> ...[SNIP]...
1.38. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0044679"><a>67dc0282d92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 44679"><a>67dc0282d92 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /home/products_services/product/sabre_reaccommodation_manager/?%0044679"><a>67dc0282d92=1 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <br /> <a href="http://phx.corporate-ir.net/phoenix.zhtml?c=73098&p=irol-newsArticle&ID=1475404&highlight=" target="_blank">Sabre Holdings acquires flight planning company f:wz</a> ...[SNIP]... <br /> <a href="http://phx.corporate-ir.net/phoenix.zhtml?c=73098&p=irol-newsArticle&ID=1474743&highlight=" target="_blank">Sabre President Tapped by U.S. Commerce Secretary to encourage tourism to the United States</a> ...[SNIP]... <br /> <a href="http://phx.corporate-ir.net/phoenix.zhtml?c=73098&p=irol-newsArticle&ID=1474241&highlight=" target="_blank">TRIP Linhas A..reas selects SabreSonic CSS reservations system, Sabre operations solutions</a> ...[SNIP]... <br /> <a href="http://phx.corporate-ir.net/phoenix.zhtml?c=73098&p=irol-newsArticle&ID=1465117&highlight=" target="_blank">Airphil Express stays with Sabre for rebirth and growth</a> ...[SNIP]... <br /> <a href="http://www.sabre-holdings.com/newsroom/pdfs/Sam-Gilliland-NBTA-2010.pdf" target="_blank"><strong> ...[SNIP]... <br /> <a href="http://www.sabre-events.com/2010-airvision-design-conference">AirVision Design Conference - London England</a> ...[SNIP]... <p>Committed to minimizing the environmental impact of our global operations and to promoting sustainable business practices in travel and tourism. <a href="http://www.sabre-holdings.com/aboutUs/corporate/sustainability.html">www.sabre-holdings.com</a> ...[SNIP]... <p>Get online access to all the product resources you need with the <a href="http://community.sabre.com"><em> ...[SNIP]... <li id="careers"><a href="http://sabre-holdings.com/careers/index.html">Careers</a> ...[SNIP]... <li id="holdings"><a href="http://www.sabre-holdings.com">Sabre Holdings</a> ...[SNIP]...
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
Request
GET /home/search/show_results HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/about/complete_the_picture/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/about/copyright_and_trademark/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/about/executive_team/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/about/media_press/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/about/privacy_policy/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/about/sitemap/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/about/the_as_advantage/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/ascend HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/business_issues HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/contact HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/news_events/event/operations_user_conference2 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/products_services HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/products_services/product/sabre_community_portal HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/products_services/product/sabre_reaccommodation_manager/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/search/show_results HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/about HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/about/complete_the_picture/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/about/copyright_and_trademark/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email addresses were disclosed in the response:
contact.us@sabre.com
event.marketing@sabre.com
info@sabreairlinesolutions.com
opportunities@sabre.com
sabre.investor.relations@sabre.com
web@sabre.com
Request
GET /home/about/privacy_policy/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/about/sitemap/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/ascend HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/business_issues HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email addresses were disclosed in the response:
contact.americas@sabre.com
contact.apac@sabre.com
emea.contact@sabre.com
web@sabre.com
Request
GET /home/contact HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/news_events HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email addresses were disclosed in the response:
danielle.timlin@sabre.com
web@sabre.com
Request
GET /home/news_events/event/operations_user_conference2 HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/products_services HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/products_services/product/sabre_community_portal HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/products_services/product/sabre_reaccommodation_manager/ HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
web@sabre.com
Request
GET /home/search/show_results HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The following email address was disclosed in the response:
drew.diller@gmail.com
Request
GET /js/DD_belatedPNG.js HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Tue, 05 Oct 2010 16:12:30 GMT Server: Apache/2.2.3 (Red Hat) Last-Modified: Tue, 19 Jan 2010 21:29:53 GMT ETag: "e40681-1b6b-2ba4f640" Accept-Ranges: bytes Content-Length: 7019 Connection: close Content-Type: application/x-javascript
/** * DD_belatedPNG: Adds IE6 support: PNG images for CSS background-image and HTML <IMG/>. * Author: Drew Diller * Email: drew.diller@gmail.com * URL: http://www.dillerdesign.com/experiment/DD_belatedPNG/ * Version: 0.0.8a * Licensed under the MIT License: http://dillerdesign.com/experiment/DD_belatedPNG/#license * * Example usage: * DD_belat ...[SNIP]...
HTTP/1.1 200 OK Date: Tue, 05 Oct 2010 16:11:13 GMT Server: Apache/2.2.3 (Red Hat) Last-Modified: Tue, 12 Jan 2010 23:22:08 GMT ETag: "e40689-1096-ec314800" Accept-Ranges: bytes Content-Length: 4246 Connection: close Content-Type: application/x-javascript
/** * Cookie plugin * * Copyright (c) 2006 Klaus Hartl (stilbuero.de) * Dual licensed under the MIT and GPL licenses: * http://www.opensource.org/licenses/mit-license.php * http://www.gnu.org/li ...[SNIP]... kie will be set and the cookie transmission will * require a secure protocol (like HTTPS). * @type undefined * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/klaus.hartl@stilbuero.de */
/** * Get the value of a cookie with the given name. * * @example $.cookie('the_cookie'); * @desc Get the value of a cookie. * * @param String name The name of the cookie. * @return The value of the cookie. * @type String * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/klaus.hartl@stilbuero.de */ jQuery.cookie = function(name, value, options) { if (typeof value != 'undefined') { // name and value given, set cookie options = options || {}; if (value === null) {
The response contains the following Content-type statement:
Content-Type: text/plain
The response states that it contains plain text. However, it actually appears to contain unrecognised content.
Issue background
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
Request
GET /favicon.ico HTTP/1.1 Host: www.sabreairlinesolutions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Tue, 05 Oct 2010 16:12:30 GMT Server: Apache/2.2.3 (Red Hat) Last-Modified: Wed, 10 Feb 2010 20:56:40 GMT ETag: "36c009-37e-455c7200" Accept-Ranges: bytes Content-Length: 894 Connection: close Content-Type: text/plain